How to Recognise a Self-XSS Scam

How to beat the hackers who can compromise your social networking account

Self-XSS graphic by Profit_Image.
Self-XSS graphic by Profit_Image/Shutterstock.

It’s a typical Wednesday afternoon. You are enjoying your lunch and posting on your favourite social networking account. Then you see this video clip on a friend’s page. It’s a group of kittens at play, doing daft things. You click on the clip, then something strange happens. Your Facebook wall or Google+ account is littered with strange or distasteful posts, which you have no knowledge about. Then you realise your account has been hacked. Then you find out what caused this: a self-XSS scam.

What is a Self-XSS scam?

A Self-XSS scam alters the code on the site you are using. It is so-called because the action is conducted on your own PC. Hackers could compromise your account by going into the Developer Tools option on your web browser. Under the Console section of the Developer Tools option would be the site’s errors. Google, Twitter and Facebook no longer display the error messages from their websites. Being able to access the error messages gives hackers free reign to spam or hack their way to your site.

What is XSS?

XSS stands for Cross-site Scripting, with the ‘x’ used to symbolise the cross in a Christmas/Xmas sense. In 2007, according to Symantec, it accounted for 84% of all security vulnerabilities. This can vary from a trifling glitch to a major security hole. There are three types of XSS flaws:

  • Non-persistent flaws;
  • Persistent flaws;
  • DOM-based flaws.

Non-persistent flaws can allow malicious sites to attack users of, for example, Google’s services whilst logged in. This is common with HTTP query parameters.

Persistent flaws may include embedded vulnerabilities like a worm. This could be hidden inside a video clip, posted on a social networking site, and compromise an insecure PC.

DOM-based flaws were traditionally found in applications which used server-side data processing. In 2011, a number of jQuery programs were found to have had DOM-based flaws.

The above can be rectified by:

  • Contextual output encoding or escaping: several escaping schemes can be used where the untrusted string needs to be placed within an HTML document. This includes HTML entity encoding, JavaScript and CSS escaping, and URL (or percent) encoding.
  • Safely validating untrusted HTML input: in the comments sections of blogs and status boxes of social networking sites should limit facilities for the use of certain characters.
    Disabling scripts: it is possible to disable client-side scripts within your web browser.
  • A single space: the most effective way of circumventing self-XSS scams entails a single space within the source code (seen within the a href link inside double quote marks).
  • Treading carefully: though you may be tempted to click the link, show some discretion. The kitten video clip link may take you to another one which could be dodgy. Clicking the right mouse button and selecting ‘Inspect Element’ could be a good tip if you’re comfortable with reading the source code.

Net66, 22 April 2016.