SEOUL, KOREA - White hacker group Lockdown has said that it found a cross-site scripting (XSS) vulnerability in the “report” function of Talk on, an in-game voice chat instant messenger, offered by SK Communications, the developer of South Korean web portal Nate.
If users click on an attacker’s report button, the attacker become able to inject malicious scripts into Web pages viewed by the users, thereby exposing the users’ computers to varied security threats, such as malware, remote controlling, videotaping through a web cam, keylogging and personal data leaks. Furthermore, if memory manipulation programs are put to use, anyone can easily take advantage of XSS vulnerabilities.
Once an attacker exploits a memory manipulation program in turning a user’s nickname into a malicious script access point, XSS occurs in the report window immediately after the user clicks on the attacker’s report button, consequently affecting computers running Windows XP (and above) and Talk on version 184.108.40.206.
SK Communications has recently won a lawsuit over a personal data leak. The court sided with SK Communications, saying that it did its best in protecting users’ personal data. That being said, Talk on, a voice chat program that has been run by SK Communications as a beta service for five years and used by tens of thousands of online gamers, turned out to be susceptible to XSS attacks.
To block off XSS, one of computer security vulnerabilities typically found in web applications, Microsoft has equipped its Internet Explorer 8.0 (and above) with the Internet Explorer XSS Filter, but the anti-XSS filter failed to work properly on Talk on. It means Talk on is highly risky security wise. Lockdown is to submit a report on Talk on and the built-in XSS filter in Internet Explorer 8.0 to Microsoft.
SK Communications has swiftly taken countermeasures against such Talk on’s vulnerability to XSS attacks. Back in 2011, Nate and Cyworld, run by SK Communications, leaked the personal data of 3.5 million users. SK Communications said that it would continue to bolster its online security tools to prevent a recurrence of such security breaches.