To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,11026168,00.htm

Lycos open to malicious attacks
Find more than you bargained for with a web search...

By Pia Heikkila

Published: Tuesday 31 July 2001

A vulnerability has been found in the Lycos search engine which could lead to the PCs of visitors to the site being infected with malicious code.

Security lab CBS Sentry Research found a vulnerability in the search engine which could allow a malicious attacker to redirect unsuspecting surfers to a bogus site, or even run malicious code on the user's machine. The risk is only theoretical but could lead to a serious attack.

Once the engine has completed a search, the results page displays a short summary of each site found. This description is gleaned from meta-tags attached to the web page. The tags, often in HTML or JavaScript, allow another script to be embedded within the text fields so the text can hide a program that is automatically executed when the search engine displays the page summary.

If the program includes a redirection or some form of malicious code then that will be executed by the browser even before the rest of the page is loaded. CBS said other search engines are expected to be vulnerable as well.

Alex Kovach, MD of Lycos UK, said: "We are fully aware that there is an issue with our search engine but we are yet to have any examples of abuse. We are currently developing a filter which will block this type of attack."