Insecurely written software still looms as one of the greatest threats to Internet commerce, and user-generated Web content is becoming a vast new vulnerability hackers want to exploit, according to experts at RSA Conference. Cross-site scripting attacks on Web sites can lead to malware taking over the browsers of machines that use the sites, said Caleb Sima, a member of the Secure Software Forum and co-founder of SPI Dynamics. "If youre a business where users browse the Web [legitimately] and hackers take over a browser, they can use it as a tool to look at the internal network and send data outside the network," Sima said.
Similarly, this can lead to hackers stealing from individual users, he said. For instance, once a browser is commandeered, a hacker can learn passwords and activities an individual uses on the Internet. "They can go to stocktrader.com and trade your stock while youre logged in. It will do it and you wont know it," Sima said. Gaming sites and social networking sites are ripe for attacks because they have such large numbers of users who are routinely sending content to and from the sites. "If [hackers] find a vulnerability in a site, they can broadcast phishing attacks. Theyll have millions and millions of victims available," he said.