Forgot your password?
typodupeerror
Security Government Politics

Campaign Sites Full of Vulnerabilities 36

Posted by Hemos
from the not-surprising dept.
An anonymous reader writes "Bloggers have been buzzing about the new wave of "Web 2.0" campaign sites, but it seems that a lot of presidential candidates haven't bothered to protect themselves from cross-site scripting attacks. A blogger has found a collection of XSS vulnerabilities including the websites of Barack Obama, Joe Biden, John Edwards, Mitt Romney, John Cox, Newt Gingrich, Tom Tancredo, the Democratic National Committee, and even a surprise from Whitehouse.gov. Some of the holes are low-risk, but others would allow a user's accounts on the affected website to be compromised. A victim would simply have to click on a maliciously crafted link that appears to lead to the candidate's site."
This discussion has been archived. No new comments can be posted.

Campaign Sites Full of Vulnerabilities

Comments Filter:
  • Action (Score:2, Redundant)

    by rlp (11898)
    The responsible action would be to warn each site's administrator of the vulnerability. Regardless of your personal political views.
    • Agreed. Hopefully some of their IT people will notice this huge banner (This Slashdot article) and do something about it. It is kind of difficult understanding why reputable development firms allowed for the vulnerabilities to exist in the first place unless they just didn't know of the weaknesses.

      Better to learn now than in a few months or even a year however...

    • by ravenfan (1070656)
      It just goes to show that you should always question the information you're given and not believe everything you're told.
  • by TheLink (130905) on Monday February 26, 2007 @09:03AM (#18152244) Journal
    There really is plenty that can be done nowadays, and the url shortening sites make it possible to do even more "interesting" stuff.

    For example: some discussion boards only check the url endings to see if it ends with jpg or gif before allowing you to specify it as your avatar.

    Most url shortening sites allow you to add /blah.jpg to the shortened url without grumbling, and they will just append /blah.jpg to the final expanded URL.

    So if you pick an expanded URL of http://targetsite.com/do=somethingnaughty&foo=

    And the shortened URL is say: http://shorturl.org/s/szxvnf

    Then you can specify an image to be http://shorturl.org/s/szxvnf/blah.jpg
    and it will expand to http://targetsite.com/do=somethingnaughty&foo=/bla h.jpg

    And so something naughty happens without the victim even needing to click on anything.

    If the site signs urls with the user's session cookie, and all urls and forms must have a checksum derived from this, then that makes it harder for the attacker.

    However, if the attacker manages to inject javascript somewhere, that javascript could figure out the session cookies and other stuff. And that is why javascript is such a risk.

    To reduce such risks, I proposed years ago to the W3C and browser makers to have an HTML tag that disables active content, but nobody really seemed interested.

    Example:
    <shieldson lock="randomstring" allowed="java,vrml,svg" />
    disallowed material disabled
    <shieldsoff lock="randomstring"/>

    The attacker has to guess "randomstring" in order to inject active content that's not specifically allowed between <shieldson> and <shieldsoff>. Otherwise the browser will just ignore it (and/or log an error).

    Without such tags, HTML is like driving a car with 100 accelerator pedals, but not a single brake pedal. To stop you need to make sure that ALL 100 accelerator pedals are not pressed.

    Various people have said: "Just escape stuff correctly". But I think the evidence is that even though in theory people can make sure all 100 "Go" pedals are "escaped", in practice that doesn't happen well enough.

    Furthermore, if someone comes up with a new "Go" tag #101, your old escaping libraries might not escape it correctly. Whereas my proposed "brake" tag will have a "default deny" behaviour, the browser should only allow specified active content. So any new type of active content that slips through escaping will still be ignored.

    In my opinion the browser makers and browser language makers are not really interested about security.

    Oh well...
    • Re: (Score:2, Funny)

      by Spazntwich (208070)
      This plan sounds about as effective as protecting your website's content by disabling right-click with javascript.
    • by Firefly1 (251590)

      Most url shortening sites allow you to add /blah.jpg to the shortened url without grumbling, and they will just append /blah.jpg to the final expanded URL.

      Question: what purpose, exactly, do these 'URL shortening sites' serve? It seems to me that the length of a URL is pretty much irrelevant, given that you can copy and paste the things. Bonus for Opera users: said browser semi-automates the process of copying a URL from, say, an email and opening it in a new window: highlight URL, right-click, choose 'G

  • Remember when Lieberman's website [nationaljournal.com] was molested?
    • Re: (Score:1, Informative)

      by Anonymous Coward
      Remember when Joe Lieberman's staff lied about his site being hacked and it turned out he just paid for cheap web service and got just what he paid for? And then he cried to the FBI who also found nothing happened:

      http://www.tpmmuckraker.com/archives/002200.php [tpmmuckraker.com]
  • by cno3 (197688) on Monday February 26, 2007 @09:08AM (#18152294) Homepage
    Why plug the holes? Blaming "the other guy" for a malicious attack on your web presence makes for such good press [breitbart.com].
  • by ReidMaynard (161608) on Monday February 26, 2007 @09:09AM (#18152300) Homepage
    I dare someone to photoshop moustashes on the candidates pics....
  • I've always felt that that they're pretty weak vulnerabilities. Yes they are vulnerabilities but I consider sql injection and remote code execution vulnerabilities much more dangerous. Doesn't someone need to visit your site in order to make the attack work?
    • I think it's a fairly good bet that there will be many many people visiting these sites.
    • by TheLink (130905)
      They're not weak vulnerabilities if they happen on webmail sites, Amazon, Ebay and so on.

      All these sites display content from 3rd parties. If they screw up, or a popular browser screws up, pretty naughty stuff can happen.

      People complain that "one click buy" is not secure? Hah, you should see "zero click buy"[1] when it happens. And then there's bidding...

      Once you can sneak in significant amounts of arbitrary javascript, it's pretty much "pwn3d time".

      [1] Perhaps I should patent it, but it's so obvious to any
  • A blogger has found a collection of XSS vulnerabilities including the websites of Barack Obama, Joe Biden, John Edwards, Mitt Romney, John Cox, Newt Gingrich, Tom Tancredo
    Ms. Former (First?) Lady gets my vote...to bad for her that I don't have one, eh?
  • by greg1104 (461138) <gsmith@gregsmith.com> on Monday February 26, 2007 @10:05AM (#18152898) Homepage
    This is nothing compared to all the holes and open ports I found last time I was at the whitehouse.com site.
  • The summary says that the attacks could compromise user accounts. This raises an interesting question... why do presidential-campaign websites even have accounts for members of the public? What non-cosmetic functionality does that provide that couldn't be done some other way?

    Full disclosure: The proliferation of websites that require accounts is a personal pet peeve. There are lots of places where I can't apply for a job or buy something without creating an account, leading to a nasty proliferation of pas

    • The summary says that the attacks could compromise user accounts. This raises an interesting question... why do presidential-campaign websites even have accounts for members of the public? What non-cosmetic functionality does that provide that couldn't be done some other way?
      sites make you register to help them avoid comment spam. captcha is another alternative but then you have to make allowances for people with disabilities ( not to mention that they can be painful sometimes )

Those who do not understand Unix are condemned to reinvent it, poorly. - Henry Spencer, University of Toronto Unix hack

Working...