Byrne's naked shorting crusade outs Yahoo! security vuln

From Wikimadness to cross-site scripting

Patrick Byrne's unrelenting crusade against naked short selling has uncovered a gaping security hole in Yahoo!'s ever-popular message boards.

Yahoo! has now patched the cross-site scripting bug - which allowed miscreants to snatch Yahoo! IDs, cookies, and IP addresses from users merely searching the message boards - but not before the vuln added a typically bizarre postscript to the epic online tête-à-tête between Byrne and the countless financial journos who branded him a madman.

A year after Lehman Brothers, the venerable Wall Street investment bank, filed for bankruptcy - a moment that signaled the onset of the worst financial crisis since the Great Depression - Patrick Byrne is a man vindicated. The CEO spent years warning that abusive naked short selling was threatening the health of America's financial markets, and in the wake of last fall's spectacular Wall Street collapse, so many other voices - including Lehman Brothers CEO Richard Fuld - have acknowledged that naked shorting at least played a part.

Following the Wall Street meltdown, the US Securities and Exchange Commission issued temporary rules meant to curb naked shorting, a financial sleight of hand that floods the market with nonexistent stock. In late July, the Commission made these rules permanent. And a few days later, it enforced the new rules for the first time.

But Byrne's crusade rolls on. Last year, continuing to tread that fine line between the valiant and the bizarre, Byrne set up a company that would do nothing but fight his battle against illegal stock-manipulation schemes, and the three-man outfit is still plugging away, pushing for US legislation that would completely prevent naked shorting. Known in classic Byrne fashion as Deep Capture, the company recently published an 80-page investigation into what it claims was a naked-shorting attack on a biotech startup called Dendreon.

Deep Capture is spearheaded by Judd Bagley, the Byrne minion at the heart of the Wikipedia edit war to end all Wikipedia edit wars. For years, news outlets ignored Byrne's warnings over naked shorting, with some journos - most notably a former BusinessWeek reporter named Gary Weiss - painting the Overstock boss as a complete nutcase. And Byrne always felt this poor treatment was fueled at least in part by the unfavorable way that Wikipedia discussed him and his stance on naked shorting.

According to Byrne and Bagley, for years the relevant articles on the "free encyclopedia anyone can edit" were controlled by none other than Gary Weiss, hiding behind various anonymous accounts. Weiss - who now writes for the business news site - has always denied this. But Bagley - treading the fine line between dogged internet investigation and online stalking - eventually turned up emails indicating otherwise.

The tale may seem strange to you and me. But where Patrick Byrne is concerned, it's par for the course.

And it only gets stranger. Last summer, Bagley discovered a significant bug in Yahoo!'s message boards that allowed him to execute JavaScript on users' machines as they searched the boards. If Bagley slipped his script into the body of a message and a user ran a search that turned up the post, the script would execute. Users didn't have to visit the message. It simply had to appear on their search results page.

Bagley says that he used the bug to capture Weiss's Yahoo! ID and IP address and link him to one of the few voices that continue to characterize naked shorting a non-issue: a blog posted under the name Tom Sykes. The blog ran on the politics and business site Daily Kos. But administrators have stopped further postings.

Gary Weiss tells The Reg he is not behind the Tom Sykes blog. But he continues to criticize Byrne and Byrne's naked shorting stance on his own blog. And the Yahoo! bug that Bagley described is legitimate.

Bagley was able to capture your reporter's Yahoo! ID and IP via the hole, and the vuln was independently verified by Jeremiah Grossman, a web-application security expert and the CTO of WhiteHat Security.

Using this cross-site scripting bug, you could also grab a user's Yahoo! cookie, which could then be used to impersonate them online - even if you didn't have their Yahoo! password. But the bug is also a window to a password-grabbing phishing attack.

"Since you can execute JavaScript, you can simply rewrite the entire web page," Grossman explains. "You could force the user to log-in again and capture their password that way." After we contacted Yahoo! about the vulnerability, the company's security team acknowledged its existence and patched it within a few hours.

Bagley says he first discovered the bug in the summer of 2008 when he noticed that Yahoo!'s message boards would occasionally format search results in unexpected ways. "The search results give you summaries of pages, and every now and then, words in the summary would be in italics. And sometimes they would be bold. And sometimes they would be underlined," Bagley tells The Reg. As it turns out, users were posting a kind of accidental html to their messages. In using the < symbol to quote others, they would mistakenly include, say, the html for italics.

"If somebody was quoting someone else and the sentence started with the letter 'i', it would turn up in italics," Bagley explains. And if the site was executing ordinary html, he thought, it would also execute JavaScript.

In order to pilfer the online identity of a particular person, you would have to tag a message with keywords you could be sure they would search for. But you could also spread the net wider.

"What I'd do is start spamming all the boards and all the threads with all the keywords I can think of. Spam galore," says Grossman. "Yahoo! has 250 millions of users. You're going to find a large number who are searching for something."

But now the hole is closed. And once again, we're left to ponder the world according to Byrne. You can read more on his ongoing naked-shorting crusade here.

With a traditional short sale, traders borrow shares and sell them in the hope that prices will drop. A naked short works much the same way - except the shares aren't actually borrowed. They're sold but not delivered.

Using these unresolved "stock IOUs," Byrne says, nefarious Wall Streeters can potentially drive entire companies out of business. "You can destroy these companies, and when that happens, you don't have to pay the IOUs off," he has told The Reg. "It's basically a system for being a serial killer of small companies."

Byrne's campaign came to a head in February 2007 when filed a $3.48bn lawsuit against 12 New York brokerage firms, alleging a "massive, illegal stock market manipulation scheme." The case is still pending.

Emails shared with Byrne and The Reg indicate that Gary Weiss is behind a Wikipedia account known as "Mantanmoreland," an account that - with the backing of site admins - controlled the articles on naked shorting, Patrick Byrne, and Overstock from January 2006 to March 2008.

A single Wikipedia edit links the Mantanmoreland account to a PC inside the Depository Trust & Clearing Corporation (DTCC). Owned by Wall Street investment banks that may have benefited from naked shorting schemes, the DTCC oversees the delivery of stocks on Wall Street. In other words, it is in a prime position to observe abusive naked shorting schemes. DTCC denies it has ever had any involvement with Gary Weiss. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2022