FSJ Hacked? Maybe!

Submitted by Mike Rothman on Tue, 2007-11-27 16:16.
::

Was the Fake Steve Jobs blog hacked? It sure seems that way. Over the long weekend, there were a number of posts from "Fake Bono," which were actually pretty entertaining. I figured it was just another ruse to drive traffic (like Fake Larry), but this post on FSJ yesterday seems legit. If it is, then let's speculate a bit on how the blog could be hacked and figure out what lessons are to be learned.

First of all, this clearly was a targeted attack. It's not like a bunch of SEO bandits took over the site (like Gore's Inconvenient Truth site H/T to Jeremiah), this was someone who clearly had the imposter posts ready to go in a FSJ style. So if I was the bad guy (and I'm not), how would I do it?

FSJ links to a lot of random pictures and web sites, so I presume he gets lots of emails with tips on things he could/should check out. There's nothing wrong there, but if an attacker knew this - he/she sends a message to FSJ with some juicy title that he wouldn't be able to ignore. Maybe like "SquirrelBoy found with nuts in his mouth." Or something like that. So the real FSJ clicks on the link and goes to a web page that then uses (most likely) a CSRF attack to send a request to Google using FSJ's credentials.

Remember, since FSJ is most likely still logged into Google (which is vulnerable to all sorts of XSS and CSRF attacks), the request comes from the malicious web server, but uses FSJ's credentials, as if it really came from FSJ. Once the bad folks successfully execute the CSRF then they can access and reset the account. They log into Blogspot as FSJ, change the password, add the account for Fake Bono and it's game over. The real FSJ is locked out and only Google can reset it, which usually takes days.

How do you stop this kind of very targeted, very specific attack? It's very hard and since FSJ is using Google's software, it's not like he can require a CAPTCHA or additional authentication or email confirmation of a password change. And part of FSJ's business is to check out these sites, so he'll have to be very good about logging out of Google or more likely checking out these random links within a virtualization window on his fake MacBook Pro that is NOT logged into Google (EVER).

Again, I don't know for sure that this hack was real. But it is certainly plausible.

That's all for now. I have to write some Fake Incite posts.