Must Read: Sorry, but bringing back the Start menu won't help Windows 8

Topic: Security

Obama site hacked; Redirected to Hillary Clinton

Summary: With a day to go before a critical Pennsylvania Democratic primary, Barack Obama's team has been busy patching security holes.According to Netcraft, a hacker exploited security flaws in Obama's site to redirect traffic to Hillary Clinton's site.

Larry Dignan

By for Zero Day |

With a day to go before a critical Pennsylvania Democratic primary, Barack Obama's team has been busy patching security holes.

According to Netcraft, a hacker exploited security flaws in Obama's site to redirect traffic to Hillary Clinton's site. Anyone that visited Obama's community blogs section of the site was sent to Clinton.

Someone named Mox confessed to the hack in an Obama community blog:

First, let me explain why I put hacked in quotation marks. It is because e what I did was not hacking in the sense that I burrowed into some dusty served and changed the Obama site and stole all your credit card numbers. All I did was exploit some poorly written HTML code.

So, you may be wondering, I never saw this hacking! Well, apparently someone videotaped it. http://youtube.com/watch?v=NKjomr1Afq0. You may also be wondering, how did you get Hillary's site to appear where Obama's should be. The answer to that is, through the magical world of Cross Site Scripting. http://en.wikipedia.org/wiki/Cross-site_scripting.

You might be wondering, how did you get xss to work here? First, go to your manage blog tab. Then go to Edit Settings. You see how you can put anything you want as a blog URL? Well, its fixed now, but before you could put in any characters you wanted. Including >, ", and

Here's the YouTube demonstration via YouTube. Also see XSSed and Computerworld.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion

  • You'd be amazed how many sites are out there

    where you could delete the whole database just by filling in a search form in a particular way. It would take literally seconds.
    fr0thy2
    Reply Vote

    • I was suprised...

      to find that I worked with people that didn't know about SQL injection.
      storm14k
      Reply Vote

      • <span style="color:#f00">I just looked at a few sites</span>

        <span style="text-transform:blink">and they'll quite happily accept percents, double minuses and quotes etc.</span>

        I suppose I should be a good citizen and offer to fix it for them ;-)
        fr0thy2
        Reply Vote

        • ahem

          You did that to your own post, didn't you? Schweet!

          :o)
          Jack-Booted EULA
          Reply Vote

  • RE: Obama site hacked; Redirected to Hillary Clinton

    They've probably just literally entered something like :

    <script>
    document.onload = (document.location = 'http://www.barackobama.com/');
    </script>
    fr0thy2
    Reply Vote

  • Juvenile

    About the only thing that can be said for it is that it exposed some "worst practices" in web server administration. The Obama campaign may want to consider firing their hosting service.

    Shouldn't change anyone's vote.
    John L. Ries
    Reply Vote

    • Obscurity != Security

      Reminds me of the old ladies reminiscing "When we were young we never used to lock the front door"
      fr0thy2
      Reply Vote

      • Didn't say it was

        Buck for website security problems stops with the administrator of the server. Mind you, cross-site scripting increases the chances of security holes because you're depending on more than one server (and their administrators), but that doesn't change the basic principle.
        John L. Ries
        Reply Vote

  • Security

    Am I more concerned that maybe someone from Hillary's team altered their website or that in fact Obama's security team is unable to block access to their site?

    If Obama or Osama or whatever he chooses to call himself cannot manage website security then how is it evenly remotely possible that he can safegaurd the security of an entire nation?
    dontnetcoder
    Reply Vote

    • psst dontnetcoder, your ignorance is showing

      "If Obama or Osama or whatever..." if you can't even get a name right, how is it evenly (sic) remotely possible that we can take you even slightly seriously when you equate security of a website with security of a nation?
      james.faction
      Reply Vote

      • Security Error Magnfied

        I was slamming Obama for having his name so similar to Osama Bin Laden. It was a joke.

        As to the security, my point is that if he cannot have a security team that can manage his website then I have concerns about his ability to manage the security of a nation. I am a programmer and this was a very simple cross-site scripting issue that should have been handled by his development team. They failed and thus my concern is that he too will fail. His failure may be much more costly when it comes to the security of the nation.

        I do believe that your bias towards Obama is showing.
        dontnetcoder
        Reply Vote

        • I believe it is your bias that is showing, not mine.

          NT.
          james.faction
          Reply Vote

          • Concern

            Jim,

            I am not necessarily biased against Mr. Obama inasmuch as I have concerns about his ability to lead a nation. Please someone explain how he can lead a nation into an international crisis but cannot find a development team to manage security for his website.
            dontnetcoder
            Reply Vote

          • "concerns about his ability to lead a nation" - yep, that's bias.

            I have concerns about the ability of ALL of them to lead a nation, LOL. I would not look at the security of a website as an indicator of leadership. Internet geekery is not the same skill that is required to run a country, and have diplomatic relations with other countries.

            "Please someone explain how he can lead a nation into an international crisis"... I think we have a problem here. I would prefer a leader who can lead a nation OUT of an international crisis!

            So in summary, you are either clearly looking for any excuse to rubbish Obama including tenuous links between internets and politics, or again, your ignorance is showing. I'd tuck it back in if I were you.
            james.faction
            Reply Vote

          • Well Put

            Jim,

            This is a very good reply. I too have concerns about all three of the candidates as do you. To think we are down to Hillary, Obama, or McCain is very sad.

            I also agree with the importance of leading one out of a crisis. Very well put as well.

            I am not necessarily against Obama as I am frustrated by what is on the menu.

            I do feel that it is important to be polished and that also means to be able to take care of your own backyard. I cannot assess Obama on an international event but apparently he has a problem with his development team.

            Can you see this as a concern at all? Are you willing to marry a woman that you don't know if they can manage a family but fails at keeping her life in order? I need to be able to evaluate someone on how they manage what they have before I am willing to give them the opportunity to manage something they don't. Like the well being on my children (I have 4).
            dontnetcoder
            Reply Vote

          • More Holes in that Argument than a Pound of Swiss

            I'm so tired of the attitude that if a website isn't 100% secure with the latest countermeasures then it pretty much deserved to be attacked. That's the same argument the Malaysian hacker that caused billions in damages and lost time a couple years back arrogantly stated in court. It's like saying because my neighbor only had a single knob lock on his front door rather than a deadbolt, burglar alarm and monitoring service, he was just asking for me to sneak in while he was at work and spray paint my initials on the walls.

            If the hacker merely wanted to point out a security flaw (of which you could probably find at least one on a majority of sites out there), he could have just alerted the site admin. But let's not kid ourselves that his actions were born strictly out of a helpful gesture, as he's trying to tell himself.

            Let's also consider the possibility that much of the work done for political candidates is done by college students, or by volunteers. For all the money being raised for a run at office, much of that cash goes straight to the pockets of TV ads and the like, leaving other ancillary functions in the hands of volunteers.

            And a website flaw equaling national security weakness? Give me a break. How many times during the Bush administration has the Pentagon been hacked? Or sensitive laptops gone MIA? Or hold the phone, an actual nuclear warhead gone unaccounted for for a day last September? Do you hold Bush personally accountable for each of these goofs?
            ESoyke
            Reply Vote

        • After reading two of your posts...

          it's clear to everyone who has the bias, and it ain't him. "I was slamming Obama for having his name so similar to Osama Bin Laden. It was a joke." No, jokes tend to at least carry some small bit of humor along with them, otherwise they are just stupidity trying to pass themselves off as a joke. I believe your low IQ is showing.
          jasonp@...
          Reply Vote

          • Bad Read

            Well my friend. You read people wrong. I have two Engineering Degrees and manage more people then Barack will probably ever manage. So enough of the childish insults. I just made an observation regarding being able to manage. Barack is unable to manage his development team and thus his leadership shows serious inadequacies. I would think that your concern would be with Obama and not some blogger. But then your childish antics have clearly showed through. You all have a nice day.
            dontnetcoder
            Reply Vote

          • book smarts != common sense

            But it was a very poor "joke" - if thats what you are calling it - and in EXTREMELY poor taste.
            JT82
            Reply Vote

        • Hmmm... a little shy on common sense I see.

          "I was slamming Obama for having his name so similar to Osama Bin Laden. It was a joke. "


          So Obama.. Being Barack's last name should turn his back on his heritage and change his last name because it is too similar to Bin Ladin's first name???

          Ever write a speach for George W. Bush by chance???


          Sheesh..... Moron!!!!


          Your self-proclaimed intelligence is NOT showing.... A president doesn't need to be an expert in HTML coding nor should he/she care much about it. They should be good at diplomacy and making decisions that help a nation succeed. Barack has a better chance than any candidate running at winning back the rest of the world and establishing peace in the middle east. The guy is far more intelligent than you could ever dream of being. And he is not one of the skeevy kniving weasles like McCain or Clinton. Get a clue dontnetmoron.
          i8thecat
          Reply Vote
CNET Join | Log In | Privacy | Cookies Close