XSS Code exploits. Sounds like something out of The Matrix, right? Nope. It’s very much reality, and the chances of you getting hurt by one are increasing exponentially with every day that passes. So, what is it? XSS stands for “cross-site scripting” and is a type of computer security vulnerability typically found in web applications.
Basically, imagine someone managed to place a fake keypad on an ATM and that it recorded the keystrokes that you inputted when typing in your PIN number. It’s really that simple but the effects are obviously devastating. What makes it particularly dangerous is that it’s so difficult to detect unless you’re paying very close attention. For example, just earlier this month, Steam (by far the largest gaming platform on Windows PCs) had its user profile pages injected with an XSS script. The rogue script could:
- Redirect you to any non-steam page - for example a phishing login page. From a user perspective, it’s just you going to a legitimate Steam profile, then seeing a typical normal-looking login page. Seems legit right? You pop in your info. You didn't click anything suspect so it's no big deal?
- The bad actor then utilises scripting to use your Steam Market funds on any item the malicious user chooses - they wouldn't even need to confirm anything as they're on a valid login session.
- They can also manipulate elements on the page as they see fit, enabling you to give away even more personal data.
XSS scripting is even more annoying than most hacks as you’re actually doing all the work for the hacker. So, how do you avoid being suckered into giving your personal data away to an exploit? There are some simple steps that everyday users can implement to be on the safe side.
- Ensure that you are triple-checking a website URL for anything suspicious before doing anything with your sensitive information.
- With Steam in particular, go into your Steam Settings and enable "Display Steam URL Address Bar When Available", and once again, triple-check that URL. Also, try to avoid viewing profiles of anybody you're unfamiliar with.
- If you think you think you’ve been affected by an XSS code exploit, change your password, enable a mobile authenticator (or any two-factor authorisation process) - and scan your system for malware. For best practice, you should be doing these three things on a regular basis regardless.
Cross-site scripting is no joke. OWASP named it their 2nd most important web application risk in their latest list in 2013, and it’s only gotten more widespread since then. Would-be hackers have figured out it’s easier just to rely on users to slip up themselves, rather than having to code advanced persistent threats which take a lot of time and effort to produce. It may seem a hassle to have to properly check a URL every time you shop for example, but wouldn’t it be far worse to suddenly see your bank account empty? Better to be safe than sorry.