ASafety - AntiSecurity Un projet qui vous tiendra @coeur...

[x[@♥]]

Symantec scores own goal: its World Cup web site is full of spam comments - Update

Toujours été friand de ce genre de news, ou les barons de la "sécurité" omettent eux même de se sécurisé, avec même parfois des trous et des oublis vraiment flagrant et inimaginable.

C'est le cas de ce très chez Symantec, qui à laissé il y a peu, comme le montre cet article, une brèche béante pour les spammeurs. Quelle idée de permettre aux internaute (et bot) de publier, sans s'inscrire, et sans CAPTCHA, des commentaires sur le portail du site !!!???

Bref, personnellement ça m'attriste encore une fois...

In a press release, Symantec announced its new web site for the football World Cup in South Africa, 2010NetThreats, and that announcement turned out to be a bad idea. Under almost every security tip published, there are comments from spammers with links for purses, T-shirts, metal parts, hotels, sport shoes, and other dubious sales offers. Distributed via comment spam, the links appear to all lead to more or less harmless online shops, but it would be easy for spammers to put in links leading to servers infected with malware.

This comment spam is possible because Symantec did not implement all of the usual security mechanisms for the comment functionality on a site. To post a comment on the Symantec site, you do not need to register and it does not require completing a CAPTCHA. In light of the security functions that professional Content Management Systems (CMS) such as WordPress already include, Symantec is being astonishingly lax here when it comes to the security of its Web users. Symantec does not even change posted URLs as proposed by Google; this process involves the CMS adding an attribute (rel="nofollow") to URLs posted in comments. Without the attribute added, search engines index spam links which in turn increases their relevance on the search engines.

The superficiality of the tips published at 2010NetThreats suggests that Symantec is probably targeting less technically savvy web users. Yet, such users are likely to be the least familiar with how the cyber underground works – and are therefore most prone to becoming victims of spammers by innocently clicking on links in comments. In other words, Symantec is undermining the legitimacy of its otherwise praiseworthy web project.

Update: Symantec has now deleted all the comments on blog entries, and disabled the comment function.

Src here!