Netscape.com hit with cross-site scripting attack
The popular Web portal was hit by a cross-site scripting attack early on 26 July but Netscape says the problem has been addressed
According to a blog posting from F-Secure Corp., its researchers discovered at least four different code-laden posts. The attacks appeared in the form of pop-up boxes when visitors viewed certain pages on the Netscape.com site. Screen shots on the F-Secure Web site depict pop-up messages that read, "Tom Way is the sexiest man alive," "this site [expletive]. go here instead," and "Hi to all you diggers out there ;)."
Netscape spokesman Andrew Weinstein said the issue involved a cross-site scripting vulnerability that allowed for the posting JavaScript pop-up boxes, in some cases redirecting visitors to other Web sites.
Weinstein said the vulnerability was quickly discovered and addressed Wednesday morning. He said the Netscape team is monitoring the site closely for any further issues, but it has received no reports of any of its users being compromised in any way.
Mikko Hypponen, research director with the Finnish security firm, confirmed that the attack vector was a persistent cross-site scripting vulnerability in the site's newly launched news service, which seeks to emulate community news sites like Digg.com that enable visitors to recommend news articles from around the Web.
"The new Netscape user interface allows end-users to post HTML code that will be viewable by everyone else," Hypponen said. "This allows the user to enter script code and potentially malicious content to the public pages on Netscape.com.
"Attackers (who are obviously fans of Digg) have used the XSS vulnerability to inject their own JavaScript code snippets into pages on the Web site, including the homepage," Hypponen said.
Hypponen said before the issue was corrected, anyone with even a cursory knowledge of creating cross-site scripting exploits could have easily caused harm to Netscape visitors.
"One particularly nasty scenario is when this issue is combined with a browser exploit, for example, the one exploiting the Windows Meta File vulnerability in IE," Hypponen said. "In that case, Netscape visitors with unpatched machines could have their machines hacked."
He also noted that such an exploit could also have been used for phishing attacks.
It's unclear whether Netscape was targeted because of its controversial site redesign. Last month the site migrated away from its long-time portal-like design that emulated sites like MSN.com and Yahoo.com.
While Netscape has claimed that its users have largely approved of the change, a Web petition sponsored by Netscape user Ernie Jenkins was spawned to protest the change. So far it has garnered 1,431 signatures.
"It appears that some of the language in the redirects referred to Digg.com," Weinstein said, "so it's a safe assumption that some of those who posted them were fans of Digg."
Added Hypponen, "Netscape's new 'Digg-like' interface generated lots of interest and apparently somebody tried to stretch the limits of user-controlled content."