Weibo hack attack highlights holes
0 Comment(s)
Print
E-mail
Global Times, July 7, 2011
The suspect allegedly behind the widespread distribution of a virus on Sina Weibo has been arrested, according to the Beijing Times on Wednesday, but concerns remain over the security of China's hugely popular microblogging services.
Neither Sina's publicity department nor the Municipal Public Security Bureau would confirm the arrest of the person whose alleged virus infected more than 30,000 Weibo users, including official Sina microblogs, between 8:20 and 9:25 pm on June 28, according to the Legal Mirror.
During the attack, users received private messages titled "income tax exemption threshold is expected to be raised to 4,000 yuan (US$618)," or "sex photos of celebrity actress Fan Bingbing," with a link. If one clicked the links, their accounts automatically posted the same entry repeatedly.
A vulnerability in Weibo's system was exploited to generate the links, but the problem was fixed by 9 pm on June 28, according to an official Sina announcement, and the viral data was removed by 9:25 pm. The passwords and personal information of users were not affected, the announcement said.
Some Weibo users traced the virus back to an account named "hellosamy," which is already non-accessible on Weibo, the Legal Mirror report said.
"The case is under investigation, and we are working on enhanced measures to ensure Weibo safety," an anonymous publicity employee with Weibo told the Global Times on Wednesday.
The cross-site scripting (XSS) hole that made Weibo vulnerable is an ordinary one to which any website is at risk, according to Qihoo 360 Technology Co Ltd, one of China's major Internet companies.
"Although the Weibo virus was just a hacker trick, the implied microblog safety issue should not be neglected," an anonymous 360 publicity representative told the Global Times via e-mail on Wednesday. More Internet safety threats will be spread by microblog, 360's safety center predicts, and traditional anti-virus software is not safe enough, according to the representative.
They have already launched a new "microblog safeguard," the representative said.
Other Chinese microblogs, though not affected by the virus, told the Global Times they will continue to improve safety.
"We have firewalls and certain restrictions to make sure that hackers don't make it in that easily," said a media executive with Sohu's microblogging service surnamed Liu.
"Bugs are normal. What we do is to fix them as soon as we can," he told the Global Times.
Still, China's microblog operators lack adequate safety awareness and need to improve their ability to deal with virus attacks, according to Wei Wuhui, a teacher with Shanghai Jiaotong University and an Internet and new media expert.
"Sina did okay," he said, "but I myself still got some private spam messages until 11 pm or midnight that day, which means there is still some residual spam data."
The "I don't care about privacy invasion" thinking of Chinese Web users has resulted in lax safety protection, Wei said.
He advised that microbloggers not click random links, not post private photos online and to remove all private messages once read.
