XSS flaw on Obama page sends visitors to Clinton site
According to British internet research firm Netcraft, the hacker embedded specially crafted code in the Community Blogs section of the Obama site, which automatically sent visitors to his rival's site.
An individual using the alias Mox of Liverpool, Ill., claimed responsibility for the prank. It is unclear who the prankster supports in the campaign.
“What I did was not hacking in the sense that I burrowed into some dusty [server] and changed the Obama site and stole all your credit card numbers,” Mox wrote in a post on an Obama forum. “All I did was exploit some poorly written HTML code.”
Security experts said on Tuesday that the practice of leveraging XSS vulnerabilities is nothing new.
“Instead of trying to post legitimate text to a website, an attacker might try posting actual code,” Zulfikar Ramzan of Symantec Security Response said in a blog post on Tuesday. “When someone visits the site and views the corresponding post, rather than rendering the text, the web browser might try to execute the corresponding code.”
Ramzan said this type of attack could easily have been malicious and financially motivated in nature.
“An attacker could attempt to post code that will lead users to a website that might exploit a vulnerability on their web browsers and subsequently download malicious software on their machine,” he said. “Along similar lines, an attacker can inject content that tricks users into divulging sensitive information by leveraging the trust people afford to the original site.”
Mandeep Khera, vice president of marketing at Cenzic, said organizations need to conduct better testing for coding flaws.
“The Obama site exploit points to an alarming problem,” he said. “Most of the websites out there have these and many other vulnerabilities that can be easily manipulated for hackers' benefit. These types of vulnerabilities can be avoided by simply having better server-side validation.”
An Obama spokesperson did not respond to a request for comment.