TORONTO -User data input fields can serve as gateways into websites and afford hackers access to sensitive information.
There are several methods hackers use to pry open a website’s secrets.
SQL Injection
Malicious code is entered into a data entry field on a website. This code then executes a command such as returning database contents.
Data entry fields on websites can be programmed to accept only numbers or strings (words), but when the field improperly filters inputs, vulnerabilities can allow hackers to gain access.
Get breaking National news
Command Injection
Command injection is when malicious code changes how a website command operates.
Often this involves satisfying the conditions of the data entry field and using additional coding syntax to “trick” the website into returning more data, such as root files.
Cross-Site Scripting
This type of vulnerability allows hackers to manipulate how websites respond to users, for example making a pop-up window message appear after an input is provided.
This is generally considered a nuisance-type vulnerability but can also be enhanced to steal cookies, fragments of data sent from another website stored on your personal browsers.
Generally speaking, Brott says individual users are rarely targets. “If you are, it would be what’s called a ‘drive by’: hackers will pick a popular website and whoever comes to it gets hit.”
One common pitfall for individual users are links sent by what’s thought to be legitimate businesses or contacts that prompt you to open them.
If the link is clicked it will forward the user to a page that downloads malware or viruses onto their computer.
To help safeguard against this attack, hover over the sender’s name with your mouse to display their full address.
Reputable businesses and institutions will have a standard and intuitive naming convention according to Deepa Kundur, professor of computer engineering at the University of Toronto.
“Our email at the University of Toronto always ends in ‘utoronto.ca’, but sometimes we’ll receive emails from ‘utoronto.co’, which is not exactly the same thing.”
Comments