Clinton-Obama campaign uses XSS as a weapon

While Clinton and Obama are battling it out in the political arena, security researchers are continuing to find vulnerabilities in the candidates' and supporters' websites. Interestingly, while a typical exploit is to redirect one party's site to their opponent's, the reasons for seeking to discover such vulnerabilities are not always politically motivated.

Following the recent cross-site scripting attacks against Obama (see previous post), Finnish security researcher Harry Sintonen has published an example of a cross-site scripting vulnerability on votehillary.org.

Sintonen's example submits a POST request to the Vote Hillary website and injects an iframe, causing the site to display the contents of Barack Obama's website. Unlike the Obama incident, which redirected the user's web browser, Sintonen's method retains the votehillary.org URL in the address bar while displaying the opposing website.

Sintonen told a Netcraft reporter that he was inspired by the recent Obama attacks and first examined Hillary Clinton's official website at www.hillaryclinton.com. Sintonen did not find any cross-site scripting vulnerabilities on this site, adding that it looked quite secure, but subsequently found XSS opportunities available on the Vote Hillary website. Sintonen lives in Finland and has no strong interest in US politics.

While the example exploits have so far been relatively benign (limited to redirecting a user to the opponent's website, for example), future cross-site scripting vulnerabilities found on political candidate sites have plenty of scope to be much more serious. Obama's and Clinton's websites both accept monetary contributions towards their campaigns, so cross-site scripting vulnerabilities could be leveraged to steal money and identities from supporters.

Sintonen told Netcraft he informed the webmasters of votehillary.org about this cross-site scripting vulnerability two days ago, but has not yet received a response.

Wasted WSJ and interesting graphs

Browsing through back issues of Saturday (6/12/07-ish) Wall Street Journal, page A8, has an article on patent reform: "Businesses Battle Over Patent Law", not even getting the captions right. It has "Technology" companies like Microsoft on one side, and "Biotech etc." companies on the other. Hey, Journal - "biotech" is short for "bioTECHNOLOGY"!

The article has a few interesting statistics:

- intangible assets, including IP, account for nearly one-third
of the value of all U.S. stocks, about $5 trillion

- software patents make up about 15% of all issued patents (hey,
people, send me more invalidity search requests :-)

- more patent cases are settled out of court than for other
bodies of civil law

They have one dishonest graph - the number of patent lawsuits filed in the US courts each year. The graph itself has accurate data, and looks ominous, until you normalize the data to the number of issued patents each year or to the number of companies in the US each year or to the
GDP each year, and the result is a boring fact - the percentage of issued patents litigated each year has remained constant for decades.

And those who know me - I do love interesting graphs.

(the same stupid graph again, that of the intensity of my glittered lipstick, the amount of hazel mocha in my Euro design mug, and the speed of my internet connection plotted against time)

Someone is keeping track of Wall Street, and is being very inventive about it - DeepMarket- the blog analyzes stock performance like a wizard, and anyone who has had Calculus back in college will appreciate the blog's inverted head and shoulders chart report. So many stock opportunities! I have hedged it all in gold.

Hacker drives Obama visitors to Clinton

A security weakness in Barack Obama's website has been exploited to redirect visitors to Hillary Clinton's website. Visitors who viewed the Community Blogs section of the site were instead presented with Clinton's website as a result of a cross-site scripting vulnerability.

Barack Obama's visitors were redirected to this site.

A user named Mox, from Liverpool, IL, posted an apparent confession in the Community Blogs section on the Barack Obama website yesterday. The subject of the post was, "I am the one who "hacked" Obama's site."

Mox plays down the matter by saying that all he did was exploit some poorly written HTML code before suggesting that it was a cross-site scripting vulnerability that had been exploited. By allowing users to enter characters such as > and " into their blog URLs, JavaScript could be injected into pages in the Community Blogs section and would be executed by subsequent visitors.

A YouTube clip from zennie62 demonstrates the attack. The clip shows a user clicking on the Community Blogs section of the Barack Obama site, which subsequently causes the browser to redirect to hillaryclinton.com. The author speculates that "Senator Clinton's staffers possibly hired someone to hack into the Barack Obama website system." No evidence is offered to back up this statement.

Another vulnerability found on the Barack Obama site.

While Mox states that the original issue has now been fixed, a number of similar vulnerabilities have since been identified and remain unfixed, and are documented on xssed.com, which notes that such vulnerabilities open up opportunities to infect Obama's supporters and site visitors with malware, adware and spyware.