Did Netscape Ignore XSS Flaw?
Visitors checking out Netscape's new format were greeted with pop-ups, created from a cross-site scripting (XSS) vulnerability, containing profanity, redirects to Digg.com, and the comedic proclamation that someone named Tom Way was the sexiest man alive, giving the exploit a prank feel.
Hacker ethics, as alluded to earlier, include a set of commandments for "moral" use of the trade. Hackers are not to destroy or damage files. They should notify system administrators about security holes located. They should not steal. They should document and distribute information about exploits. According to D, set to begin as a first-year computer science student, these guidelines were followed in attempt to protect Netscape users from malicious hackers.
D directed SecurityProNews to a vulnerability notice posted at Packet Storm Security on June 13th, detailing the XSS bug, a month and a half before the hack.
"In itself it's not harmful," said D, "though it was interesting to see how they failed to properly sanitize such a high-traffic site. I poked around some more, and soon realized that they hadn't sanitized the stories submitted to their site either; suddenly it's not so whimsical. Recognizing the potential for insertion of persistent malicious code or phishing attacks, I immediately alerted them to it in an email."
"Since Jason was being such a t**t and because they continued to ignore my warnings, I decided to alert the general public to the exploit; if that didn't cause them to fix it, apparently nothing would."
D used the input form for new stories to add a snippet of javascript with alert boxes. He says he wanted the alerts to be "juvenile and shocking" to get people's attention. Several stories were submitted across popular topic areas to bring wider attention to the problem.
"I'm sure they aren't exactly grateful, but one can hope that they won't pursue legal action as I was just trying to help."
0 votes
