Symantec have finally secured their some what surreal HackIsWack competition website.
Symantec have collaborated with rapper Snoop Dogg to raise awareness about malware and identity theft. the site is intended to provide a forum for a rap competition. Users post their own videos of their cyber-crime related raps. A whopping 22 videos have been posted on the site so far.
Apparently this isn?t the first time this kind of thing has happened. HackIsWack has been described as the most comically inept campaign since Don?t Copy that Floppy. Which was a failed rap/security colab from the early 1990s.
The irony of it all is that when the site went live it was riddled with security holes, including a cross site scripting flaw that lent it?s self to the rickrolling attack. Hilarious for us but incredibly embarrassing for the security giant Symantec. A statement was released over the weekend by Symantec, it said the following:
Symantec was made aware of reported vulnerabilities to the Norton Hack is Wack microsite, and we quickly took the necessary steps to enhance security on the site. We have found no evidence to date that any intrusion into the site or other areas of Symantec?s network or website have occurred.
To date, Symantec can confirm that no company or customer data has been compromised or exposed. Symantec takes the security of our website and microsites very seriously, and we have taken the necessary steps to resolve this issue.
But no clues as to why they went live seriously flawed and untested site. The rickrolling XSS was the most talked about flaw on the site, but security blogger Mike Bailey, has lovingly compiled a list of the multitude of flaws that was present on the site at the time. like the caching of sensitive data and upload security issues, plus more:
Hack is Wack site is chock full of holes. For example, there’s the publicly available, indexed cache directory with all that SQL, JSON and other data. There’s the XSS vulns (HTML5 only, though it should be simple enough to rewrite), CSRF holes, and the Flash upload issues in the video upload script (a Joomla module that appears to have been used without any quality control or review despite the fact that it’s currently in Alpha)
The rickrolling has now gone from the site, and Symantec say they have cleaned up the rest too. So, enjoy!
