« Chief Justice Roberts and the Supremacy Clause "Near-Miss" in Douglas v. Indep. Living Ctr. | Main | Stoner Law-Reform: The Self-Informing Jury »

Wednesday, February 22, 2012

“Breaking and Entering” Through Open Doors: Website Scripting Attacks and the Computer Fraud and Abuse Act, Part 1

IMPORTANT: clicking through to the main body of this post may will cause unusual behaviors in your web browser.
Seriously. Please read more below before clicking through to the post!

Thank you Dan, Sarah, and the other Prawfs hosts for giving me the opportunity to guest Blawg! I will be writing about a project I am currently working on with one of my students (Nick Carey), examining common website cybersecurity vulnerabilities in the context of cybercrime law.

The purpose of this post is to examine these (potential) cybersecurity vulnerabilities in PrawfsBlawg. It is the first of what I hope will be a few posts examining how current federal cybercrime law (the Computer Fraud and Abuse Act, or CFAA) applies to certain Internet activities that straddle the line between aggressive business practices and criminal intent.

While certainly possible to analyze these without a public post, making the post public provides more opportunity to showcase these vulnerabilities in a way that brings the debate to life without the "risk" of engaging attackers set on causing damage.

As other scholars have observed, judicial references to the CFAA notably increased over the past decade. Part 2 of this post, which will be forthcoming after we identify which vulnerabilities are (and are not) present in the Blawg, will provide a more substantive treatment of the legal issues involved and a (better) place for discussion.

Posted by David Thaw on February 22, 2012 at 02:57 PM in Criminal Law, Information and Technology | Permalink


This comment provides an inline link that demonstrating how a social engineering attack can "steal" someone's username and password. If you click on the link, a small window will pop up displaying your Prawfs/TypePad information. We do not retain this information or transmit it to anyone (as the poster, I don't even have access myself!), and clicking on it will not increase risk of harm to your computer. Think of it like someone putting a mirror next to a door handle that reflected back the image of your key. Or, alternatively, like when the University Police put a little flyer under your windshield wipers indicating they "checked" your car and identifying what visible items might be likely to be stolen.

The point is, someone else -- with malicious intent -- *could* steal information this way.

Fortunately, Prawfs' isn't really a security risk - there's not much damage someone could do with this information, since there isn't a password to steal and the attacker can pretend to be someone else anyway. But if this were, say, Facebook -- especially with the "Login with Facebook" function spreading throughout the web -- that could cause a lot more damage. And increase political pressure to criminalize these activities.

An example socially-engineered comment pretending to be me (the post author) might look like:


Many of the comments here don't really demonstrate the problem. I think this post would be more helpful if some of the comments actually had working links, like this:

Click here to activate demonstration link


H/T to my student Nick Carey, who did an excellent job of developing the code to demonstrate this vulnerability.

Posted by: David Thaw | Apr 17, 2012 7:03:12 PM

alert("Hello world")dddalert("Hello world")alert("Hello world")dddddddd

Posted by: alert("Hello world") | Mar 3, 2012 6:19:21 PM

Whatever you do, don't hit the red button. http://youtu.be/gms_NKzNLUs?t=6m5s

Posted by: Bruce Boyden | Feb 22, 2012 4:47:47 PM

The comments to this entry are closed.