Obama Site Visitors Redirected to Clinton Campaign
On the eve of the presidential primary in Pennsylvania, an online prankster leveraged a security vulnerability on Sen. Barack Obama's campaign Web site to redirect visitors to Sen. Hillary Rodham Clinton's campaign site.
According to Symantec, someone embedded computer code into a posting on the Obama blog. The content in this case targeted a cross-site scripting flaw (XSS), an exceedingly common type of vulnerability that can be used to automatically redirect Web browsers viewing the affected page to another site.
The redirect was posted shortly after the Obama site was listed at xssed.com, a collaborative online archive of cross-site scripting vulnerabilities present in thousands of Web sites.
While the episode appears to have been little more than a prank, the Web site flaw could have been used for more nefarious purposes, such as silently installing malicious software from third-party sites or popping up a fake campaign contribution page to steal money from Obama supporters, said Zulfikar Ramzan, a senior researcher at Symantec.
"Clearly, if someone wanted to make money off of this they could have easily put browser exploit code in there," Ramzan said. Redirecting visitors to malicious sites that use browser exploits to silently install nasty software also could be an embarrassing moment for the campaign that might deter people from contributing online, a major source of fundraising these days, Ramzan said.
The Obama campaign appears to have fixed the flaw that allowed the redirects. But interesting enough, Clinton's site is similarly vulnerable, according to xssed.com. Security Fix confirmed by clicking on the link at that archive that the login page at "connect.hillaryclinton.com" currently contains a cross-site scripting flaw that could redirect visitors or present them with scam pages.
The comments to this entry are closed.