Computer experts are warning of a serious new internet security threat that allows hackers to launch malicious programs on a victim’s computer or capture information a person volunteers on a web site, such as credit card numbers.

The threat, called “cross-site scripting,” involves computer code that can be hidden within innocuous-looking links to popular internet sites. The links can be eMailed to victims or published to online discussion groups and web pages.

The vulnerability is especially unusual because it is not limited to software from any particular company. Any web browser on any computer visiting a complex web site is at risk.

No one apparently has been victimized yet. But the risks are described as potentially serious enough and affect such a breadth of even the most successful web sites that the industry’s leading security group says nothing consumers can do will completely protect them.

Only a massive effort by web site designers can eliminate the threat, according to the CERT Coordination Center of Carnegie Mellon University and others. (CERT does not stand for anything; it is a registered service mark of the university.) Software engineers at CERT issued the warning together with the FBI and the Defense Department.

“This is a serious security issue, with potential implications that are only starting to be understood,” said a warning from the Apache Software Foundation, which supports widely used software running many of the world’s web sites.

The problem, discovered weeks ago but publicly disclosed Feb. 2, occurs when complex internet sites fail to verify that hidden software code sent from a consumer’s browser is safe.

Experts looking at how often such filtering occurred found that internet sites failing to perform that important safety check were “the rule rather than the exception,” said Scott Culp, the top security program manager at Microsoft.

“Any information that I type into a form, what pages I visit on that site, anything that happens in that session can be sent to a third-party, and it can be done transparently,” Culp warned. He added: “You do have to click on a link or follow a link in order for this to happen.”

The dangerous code also can alter information displayed in a consumer’s web browser, such as account balances or stock prices at financial sites. And it can capture and quietly forward to others a web site’s “cookie,” a small snippet of data that could help hackers impersonate a consumer on some internet pages.

“It really goes across a huge number of sites,” said Marc Slemko, a Canadian software expert who studied the problem. Slemko said internet-wide repairs will be “a very, very major undertaking.”

In the interim, experts strongly cautioned internet users against clicking on web links from untrusted sources, such as unsolicited eMail or messages sent to discussion forums.

They also recommended that users at least consider preventing their web browser software from launching small programs, called scripts. But they acknowledged that many internet sites require that function to operate.

Microsoft published full details and step-by-step instructions for consumers at its web site. Sun Microsystems Inc., whose software powers many of the world’s largest internet sites, also published information at its site, as did the Apache Software Foundation.


CERT Coordination Center

CERT’s Cross-Site Scripting Advisory (Advisory CA-2000-02)

Microsoft Security Advisor Program

Sun Microsystems’ Cross-Site Scripting warning

Apache Software Foundation’s Cross Site Scripting information