Barack Obama's official site hacked

Written by DP

Friday, 18 April 2008

Updates :
One more XSS by mox: (Requires login)

Another XSS that uses a POST request (submitted on 20/04):

and a... script insertion (submitted on 20/04) [Mirror]:

...and forgot to mention that is also vulnerable:


mox has just submitted a critical script insertion vulnerability affecting - Barack Obama's official social networking site for his supporters.

It is possible to inject an iFrame onto the title parameter of your personal group [Mirror]:

Attackers can remotely call a JavaScript in the iFrame and infect Obama's supporters and site visitors with malware, adware and spyware. They can even display a defaced group page with pro-Hillary messages... :-P

Few days ago, C1c4Tr1Z also discovered another XSS [Mirror]:

Filtering "script" is obviously NOT the solution. Filtering and encoding special characters to HTML entities is a good solution. Anyway, for a title you don't need any HTML...

Have a look in the Articles section for information on preventing XSS and CSRF.

Related news (Updated):
[April Fools joke by 2600]  /  "Barack Obama's website was not hacked" - April 2 2008 (The irony)

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.