Hack Attack: Rivalry Between Web 2.0 Sites Results in JavaScript Tomfoolery

JavaScriptSearch
Thursday, July 27, 2006; 07:59 AM

Netscape.com has been hacked through a cross-site scripting (XSS) vulnerability in their recently launched news service. It is alleged that the attack was launched by fans of Digg.com, a competing social networking website. The hackers used the XSS vulnerability to inject their own JavaScript code into the homepage and other pages on the site.

The hack was discovered by Finnish security vendor (F-Secure), during their research work around cross-site scripting vulnerabilities on social networking sites. Hackers used cross-site scripting attacks to display JavaScript pop-up alerts with "comical" messages aimed at redirecting visitors to their site. No malicious code was injected. Netscape released a statement yesterday afternoon stating that the vulnerability had been patched and that visitors are once again safe.

F-Secure has documented the defacement of the web site.  Apparently, visitors to Netscape were treated to JavaScript alerts proclaiming the supremacy of Digg and the irresistible sexiness of one Mr. Tom Way.

Source: http://www.f-secure.com/