• ::  Contact a Representative  ::  Information Center   ::  Contact WhiteHat  ::

• Home
• Sentinel Services
• Education Services
• Events & Webinars
• In the News
• Resources
• Real-World Solutions
•    Best Practices
•    Business Logic Flaws
•    Success Stories
• Partners
• Support
• About WhiteHat

Business Logic Flaws :: "Interactive TV" ::

Class: Insufficient Process Validation

The website for Cable News 14 in North Carolina allowed registered users to submit weather related announcements for T.V., in order to alert local residents of school or business closures. The submissions are posted to the onscreen crawl during the newscast as a public service and periodically rotated. Think Web 2.0 for television.
To prevent abuse, such as users posting defamatory messages, station personnel must first review the submission’s content before it’s allowed to air. Afterward, users are free to edit the content to reflect any changes in status. For example, if a business or a school reopened or is to remain closed for an extended period, local residents can stay informed by monitoring the crawl.

Can you spot the security problem?

Anytime user-supplied data is collected and redistributed for mass consumption online or via mainstream media, there is a risk that the content could be malicious or abusive. Spam, derogatory comments, pornography, or various forms of malware are all common examples. Moderators are typically present in online message boards, chatrooms, mailing list, etc. to remove any offensive material. On T.V. the familiar sound bleeps and blackout blocks provide roughly the equivalent function. In some particularly sensitive distribution outlets, such as public television, content should be carefully reviewed PRIOR to being aired or risk FCC fines. In the Cable News 14, this was done only partially.

One particular malicious user noticed the submission-editing feature of the system. They posted a nice informative message and then waited for the moderators to approve it for airing. Afterward, the malicious user edited the message with new bogus content. The content was allowed to air because the system did not require edited messages to undergo further moderator scrutiny. By the time the loophole was noticed by Cable News 14, the malicious user had shared his discovery with others on a public message board whose participants also got their 15 minutes of fame*.

Solution

In this case, the solution would have been easy: To not allow content edits or review each edit before airing. The downside is this requires additional human resources for screening.

* Pranksters bedevil TV weather announcement system

• 2009 © Copyright WhiteHat Security, Inc.  ::  408.343.8300   ::   3003 Bunker Hill Lane, Santa Clara, CA 95054   ::   Contact the Webmaster   ::