 |
 |
 |
|
| SecurityProNews > Insider Reports > Insider > Did Netscape Ignore XSS Flaw? |
[ insider_reports_insider ]Did Netscape Ignore XSS Flaw?
Jason Lee Miller Staff Writer 2006-08-04  Insider Reports RSS Feed
Hackers claim to live by codes. No matter what people think of "D," who hacked the new Digg-style Netscape, he insists it was done for good, not evil. Besides, says D, they had it coming. He gave them ample warning about their security problem.
News of the hack was first reported by security company F-Secure on July 26th, a few days after Netscape head Jason Calacanis offered A-list Digg.com submitters $1,000 per month to write for Netscape instead. Visitors checking out Netscape's new format were greeted with pop-ups, created from a cross-site scripting (XSS) vulnerability, containing profanity, redirects to Digg.com, and the comedic proclamation that someone named Tom Way was the sexiest man alive, giving the exploit a prank feel. Hacker ethics, as alluded to earlier, include a set of commandments for "moral" use of the trade. Hackers are not to destroy or damage files. They should notify system administrators about security holes located. They should not steal. They should document and distribute information about exploits. According to D, set to begin as a first-year computer science student, these guidelines were followed in attempt to protect Netscape users from malicious hackers. D directed SecurityProNews to a vulnerability notice posted at Packet Storm Security on June 13th, detailing the XSS bug, a month and a half before the hack. "In itself it's not harmful," said D, "though it was interesting to see how they failed to properly sanitize such a high-traffic site. I poked around some more, and soon realized that they hadn't sanitized the stories submitted to their site either; suddenly it's not so whimsical. Recognizing the potential for insertion of persistent malicious code or phishing attacks, I immediately alerted them to it in an email." D admits that it was "reasonable" to have not received a response from a highly trafficked site, likely with a high level of emails coming in. He decided to take another route by submitting a story to Netscape to alert them to the flaw's presence, without detailing the specifics. Using several accounts he voted the story to the front page, at which point it was "promptly deleted by a moderator," still with no contact from Netscape. Over the span of a week, D says he posted four stories on Netscape and two on Digg, with the later ones detailing part of the exploit. All stories were deleted, he says. " It was about this time that Jason Calacanis and Kevin Rose got into their little blog-spat about Calacanis trying to subvert Digg by paying its top contributors to come over to Netscape. Now I'm confronted with Netscape being both incompetent and unethical, and if Calacanis' scheme works they'll face a huge influx of traffic, people placed in danger by their continued ignorance of this exploit. "Since Jason was being such a t**t and because they continued to ignore my warnings, I decided to alert the general public to the exploit; if that didn't cause them to fix it, apparently nothing would." D used the input form for new stories to add a snippet of javascript with alert boxes. He says he wanted the alerts to be "juvenile and shocking" to get people's attention. Several stories were submitted across popular topic areas to bring wider attention to the problem. "Now that people could see the exploit they could of course execute code themselves; it was dangerous for a short while to go there. As such, I added a redirect to digg.com to several of the code snippets, to get people away from the page as much as possible." Since the exploit was "benign," D hopes that Netscape will recognize how much damage could have been done by someone with malicious intentions, and consider the hack a good deed. "I'm sure they aren't exactly grateful, but one can hope that they won't pursue legal action as I was just trying to help." Who, exactly, is the now infamous Tom Way? Tom is an 18-year-old high school student who claims to not understand any of this cross-scripting "mumbo jumbo." Tom waxes philosophical about Internet fame, saying it's "only slightly less fulfilling than real fame." Neither, Jason Calacanis nor Netscape Chief Architect Brian Alvey could be reached for comment before publication. Netscape, Security, XSS Add to  Del.icio.us |  Digg |  Yahoo! My Web |  Furl
Get all the updates in RSS: 
View All Articles by Jason Lee Miller About the Author: Jason is a graduate of the University of Kentucky. He covers business, technology, and security issues. More insider_reports_insider Articles Insider Reports RSS Feed
|
|
 |
iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us |
 |
| Contact
Us | Advertise
| Newsletter
Archive | Sitemap
| Submit an
Article | News
Feeds SecurityProNews is an iEntry, Inc.® publication - 1998-2008 All Rights Reserved | Privacy Policy and Legal |
Join the WebProWorld Forums: Click Here |
|
|||||||||||||||||||||||||
