Netscape.com says, "Hi to all Diggers!"

Surprised? Well, read on…

Early this morning, someone submitted a story on Netscape.com. And Digg fans all over the world erupted in laughter and glee. Ever since the story was submitted, this is what appears, when Netscape is loaded into your browser:

The first is a four word expletive, and the second greets “all you Diggers out there!”

The culprit?

A story titled “Unbearable Cuteness”. Ironical,eh? Here’s the what and why of the entire fiasco.

Analysis:
A quick check of the JavaScript on the page reveals this script:

via a<br></br>
title="http://www.cute.com">script>alert("fuck");<br></br>
alert("Hi to all you Diggers out there ;)");script>"<br></br>
href="http://www.cute.com">script>alert("fuck");<br></br>
alert("Hi to all you Diggers out there ;)");script>"<br></br>
onclick="trackOutbound(15475);">cute.com">script>alert("fuck");<br></br>
alert("Hi to all you Diggers out there ;)");```

The link that was submitted with the story exploited an XSS (Cross Site Scripting) vulnerability. PacketStorm had already published this vulnerability a month ago on the 6th of June. Apparently netscape.com does not sanitise its inputs before they are submitted. As a result, specially crafted JavaScript (like this one) can be used to send ‘malicious code’.

While Netscape is looking into the matter, Diggers across the globe are having a field day running multiple ‘Ha Ha! Netscape gets hacked!!‘ stories. Most of the l33t Diggers are already publishing their insightful comments on the stories, too.

What can I say? There is a child in all of us… :)

Technorati Tags: netscape, digg, exploit, XSS

powered by performancing firefox