Obama's Site Hacked; Change Comes From XSS

By David A. Utter - Mon, 04/21/2008 - 6:49pm.

Cross-site scripting flaw enabled embarrassing redirect

Cross site scripting exploited within the website for Illinois Senator and Presidential hopeful Barack Obama caused visitors to the blog section to be redirected to rival Hillary Clinton's site.

On Saturday night, things were not all right for Obama's site visitors. Those who tried to visit the community section of those pages found themselves at an entirely unwanted destination - the website to elect Hillary Clinton to the Presidency.

A video on YouTube showed the redirection in action. Zennie Abraham, who runs a company called Sports Business Simulations, discovered the problem when trying to reach his blog on the Obama site.

"This is serious because it means Senator Clinton could also unethically poach donors from the Obama campaign via online website redirects like this," he wrote. "Terrible and unethical."

Abraham also pointed out the site had been developed by Blue State Digital, a design firm that has created numerous sites for Democratic candidates and like-minded people and businesses. A flaw in Obama's site could be present in others designed by the firm.

Someone identifying themselves as Mox from Liverpool, IL, claimed to be responsible for the attack on the Obama website. "All I did was exploit some poorly written HTML code," wrote Mox.

By putting certain characters in the blog's name when creating it on Obama's site, the characters become part of the URL. Put the right characters in it, and if they aren't sanitized by the application creating the blog, a cross-site condition would come into being.

Mox's explanatory post ends abruptly, so it isn't known if the individual confessed to doing this in support of the Clinton candidacy or not. However, Mox claims the flaw has been fixed on the site.

News Tags: Security, Hillary Clinton, Web Application, Barack Obama

About the author:
David Utter is a staff writer for WebProNews covering technology and business. Follow me on Twitter, and you can reach me via email at dutter @ webpronews dot com. Why not Mixx this article while you're here?

Comments

Submitted by Gary (WPN reader) on Thu, 04/24/2008 - 12:37am.

Obama Site Hack

Wouldn't this have been more useful if you had clearly explained the hack, or shown us precisely what not to do on our sites?

Submitted by Beautiful (WPN reader) on Wed, 04/23/2008 - 5:18pm.

Clinton Hacker

Shame on you HRC! I'll never vote for you...

Submitted by Pyrmont (WPN reader) on Wed, 04/23/2008 - 8:18am.

Terrible News

This is terrible news. Does anyone know how long this hack was in place for?

Submitted by arthur (WPN reader) on Tue, 04/22/2008 - 1:38pm.

Sad...

It's sad that such easily preventable vulnerabilities are affecting high-profile sites like presidential candidate websites.

Submitted by abeen (WPN reader) on Tue, 04/22/2008 - 2:44am.

redirected

it's not that good for election campaign,

http://www.imavista.com

Submitted by Naughty (WPN reader) on Tue, 04/22/2008 - 1:38am.

This is bad..

This is terrible politics. I don't know if this is done with the consent of Mrs.Clinton. But who ever did this has caused more damage to Mrs.Clinton than good. :(

Submitted by Guest (WPN reader) on Wed, 04/23/2008 - 9:55am.

why does everything require consent of the candidate?

perhaps this person just did it to do it.

this isn't some bad tv movie where the candidate hires the hacker is it?

why do hackers do it, cause it can be done.

Submitted by Guest (WPN reader) on Sun, 04/27/2008 - 1:32am.

amen. what better place to

amen. what better place to direct it then obama's major opposition. this has nothing to do with hillary. personally i find it all pretty funny.

WebProNews