By Thomas Claburn
April 22, 2008
The Web sites of Barak Obama and Hillary Clinton appear to be vulnerable
to cross-site scripting (XSS) attacks.
XSSed.com, a site that tracks cross-site scripting vulnerabilities,
includes reports of four XSS vulnerabilities that affect BarackObama.com
and one that affects HillaryClinton.com.
Cross-site scripting allows an attacker to inject code into a Web site
so that certain actions execute the code. The result can be anything
from a harmless pop-up window to exposure to malicious software.
Zulfikar Ramzan, a senior researcher with Symantec (NSDQ: SYMC) Security
Response, said that any time a site allows users to submit content,
there's a risk that someone may submit malicious code.
XSSed.com lists two of the vulnerabilities, one on each candidate's
site, as "unfixed" as of 2 p.m. PST on Tuesday, April 22.
One of the vulnerabilities reported on XSSed.com surfaced over the
weekend and has since been fixed. It allowed an unknown hacker to
redirect visitors who viewed the Community Blogs section on Barack
Obama's Web site to rival Hillary Clinton's Web site. Two other
vulnerabilities now listed only on mirror sites also appear to have been
Security vendors Netcraft and Symantec have both published blog posts
about the incident. And Zenophon "Zennie" Abraham, founder and CEO of
Sports Business Simulations, has posted a video demonstrating the hack
A Barack Obama campaign spokesperson did not immediately respond to a
request for comment.
However, a person posting under the name "Mox" on the Obama Community
Blog took credit for hacking BarackObama.com.
It is "Mox" who also takes credit for posting three of the XSS
vulnerabilities on BarackObama.com and the one on HillaryClinton.com.
The fourth XSS hole on BarackObama.com was posted by someone using the
Ramzan said that while the brief redirection of visitors to the Barack
Obama site wasn't particularly serious, an XSS vulnerability of this
sort could potentially be exploited to inflict more significant harm. He
suggested that a fake fund-raising solicitation window could be launched
this way and that it would probably fool a lot of people because it
would appear to be part of the official Barack Obama Web site.
Subscribe to the InfoSec News RSS Feed