Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird security question: is it possible to infect an online account?


  • Please log in to reply
9 replies to this topic

#1 gmtjohny

gmtjohny

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 11 November 2012 - 02:17 AM

Hi, I know this is a weird question, but let's say my computer was infected with an advanced piece of malware and I logged into an online account, let's say... Bleeping Computer for example, could a piece of malware "infect" my account? And could it stay active even after a password change?

Or is infecting web based accounts basically impossible?

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 11 November 2012 - 03:26 AM

Or is infecting web based accounts basically impossible?

The chances are very miniscule at this time, but ..............................
I have seen a site that had become "Infected", but this was usually due to a direct attack, rather than a "Second Hand" drive-by -
The site was actually like this site, but the infection was traced very quickly to a "Direct Attack", and not allowed to pass any further.

could it stay active even after a password change? << This would not be related in any way. You are talking about a site and not a user.

It would take a written code that was "Injected", and not "Brushed on" -

Site security is so high that even a direct attack is usually quite evident most times, and second hand "Unknown" infection is almost not known.

The infection would need to be more directly aimed at a sites engine, and not just a "random" infection of any one section / user of the site -

Thank You -

#3 gmtjohny

gmtjohny
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 11 November 2012 - 03:55 AM

So let me sum up the question: if I logged into an online account on an infected computer, could it infect my personal account? Thanks.

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 11 November 2012 - 05:49 AM

if I logged into an online account on an infected computer, could it infect my personal account?

You would actually be logging onto an Infected Site, for this to happen, not into an infected Account - That is what I am trying to explain.

Account is not related here at all - All accounts on an infected site could be infected if it was a Superbug, not a "normal infection"

Antivirus and Antimalware may protect you from infection, but Account is Nothing to get infected -

Your idea is nice, but it is simply NOT Logical in any way :)

Thank You -

#5 gmtjohny

gmtjohny
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 12 November 2012 - 03:36 PM

Okay thanks! :)

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 PM

Posted 12 November 2012 - 05:36 PM

If you mean with "infected account" an account to which malicious code has been added (by said malware), then no, because most accounts don't have features that allow you to associate code with it and execute it.

But there are some exceptions. Second Life for example allows you to program. Maybe this could be done in Second Life, but I don't know, I'm not familiar with it.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 gmtjohny

gmtjohny
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 12 November 2012 - 07:02 PM

If you mean with "infected account" an account to which malicious code has been added (by said malware), then no, because most accounts don't have features that allow you to associate code with it and execute it.

But there are some exceptions. Second Life for example allows you to program. Maybe this could be done in Second Life, but I don't know, I'm not familiar with it.

Right, like a webmail account or an online dating site for example.

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:08 AM

Posted 13 November 2012 - 01:51 AM

Right, like a webmail account or an online dating site for example.

As Didier Stevens pointed out, there could only be Specific examples -
But since you chose BleepingComputer as your example, I was forced to say no, to this type of account, on this type of site :wink:

Thank You, and I hope it cleared it up for you :)

#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 PM

Posted 13 November 2012 - 05:09 AM

Right, like a webmail account or an online dating site for example.


No, these are examples of accounts that are hard to infected (i.e. include malicious code). But they can be compromised (e.g. credentials stolen).

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 gmtjohny

gmtjohny
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 13 November 2012 - 06:58 AM

Thank you noknojon and Didier for your help. :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users