XSS flaw on Obama page sends visitors to Clinton site

Share this article:
The battle between Democratic presidential hopefuls Barack Obama and Hillary Rodham Clinton  extended to cyberspace when a prankster over the weekend exploited a cross-site scripting (XSS) vulnerability on the website of the Illinois senator to redirect traffic to Clinton's homepage.

According to British internet research firm Netcraft, the hacker embedded specially crafted code in the Community Blogs section of the Obama site, which automatically sent visitors to his rival's site.

An individual using the alias Mox of Liverpool, Ill., claimed responsibility for the prank. It is unclear who the prankster supports in the campaign.

“What I did was not hacking in the sense that I burrowed into some dusty [server] and changed the Obama site and stole all your credit card numbers,” Mox wrote in a post on an Obama forum. “All I did was exploit some poorly written HTML code.”

Security experts said on Tuesday that the practice of leveraging XSS vulnerabilities is nothing new.

“Instead of trying to post legitimate text to a website, an attacker might try posting actual code,” Zulfikar Ramzan of Symantec Security Response said in a blog post on Tuesday. “When someone visits the site and views the corresponding post, rather than rendering the text, the web browser might try to execute the corresponding code.”

Ramzan said this type of attack could easily have been malicious and financially motivated in nature.

“An attacker could attempt to post code that will lead users to a website that might exploit a vulnerability on their web browsers and subsequently download malicious software on their machine,” he said. “Along similar lines, an attacker can inject content that tricks users into divulging sensitive information by leveraging the trust people afford to the original site.”

Mandeep Khera, vice president of marketing at Cenzic, said organizations need to conduct better testing for coding flaws.

“The Obama site exploit points to an alarming problem,” he said. “Most of the websites out there have these and many other vulnerabilities that can be easily manipulated for hackers' benefit. These types of vulnerabilities can be avoided by simply having better server-side validation.”

An Obama spokesperson did not respond to a request for comment.

Share this article:

Next Article in News

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.