Slashdot Mirror

← Back to Stories (view on slashdot.org)

Campaign Sites Full of Vulnerabilities

Posted by Hemos on from the not-surprising dept.

An anonymous reader writes "Bloggers have been buzzing about the new wave of "Web 2.0" campaign sites, but it seems that a lot of presidential candidates haven't bothered to protect themselves from cross-site scripting attacks. A blogger has found a collection of XSS vulnerabilities including the websites of Barack Obama, Joe Biden, John Edwards, Mitt Romney, John Cox, Newt Gingrich, Tom Tancredo, the Democratic National Committee, and even a surprise from Whitehouse.gov. Some of the holes are low-risk, but others would allow a user's accounts on the affected website to be compromised. A victim would simply have to click on a maliciously crafted link that appears to lead to the candidate's site."

36 comments

  1. Action by rlp · · Score: 1, Redundant

    The responsible action would be to warn each site's administrator of the vulnerability. Regardless of your personal political views.

    --
    [Insert pithy quote here]
    1. Re:Action by tetrahedrassface · · Score: 1
      Agreed. Hopefully some of their IT people will notice this huge banner (This Slashdot article) and do something about it. It is kind of difficult understanding why reputable development firms allowed for the vulnerabilities to exist in the first place unless they just didn't know of the weaknesses.

      Better to learn now than in a few months or even a year however...

    2. Re:Action by ravenfan · · Score: 1

      It just goes to show that you should always question the information you're given and not believe everything you're told.

  2. There are a lot of things that can be done by TheLink · · Score: 5, Interesting

    There really is plenty that can be done nowadays, and the url shortening sites make it possible to do even more "interesting" stuff.

    For example: some discussion boards only check the url endings to see if it ends with jpg or gif before allowing you to specify it as your avatar.

    Most url shortening sites allow you to add /blah.jpg to the shortened url without grumbling, and they will just append /blah.jpg to the final expanded URL.

    So if you pick an expanded URL of http://targetsite.com/do=somethingnaughty&foo=

    And the shortened URL is say: http://shorturl.org/s/szxvnf

    Then you can specify an image to be http://shorturl.org/s/szxvnf/blah.jpg
    and it will expand to http://targetsite.com/do=somethingnaughty&foo=/bla h.jpg

    And so something naughty happens without the victim even needing to click on anything.

    If the site signs urls with the user's session cookie, and all urls and forms must have a checksum derived from this, then that makes it harder for the attacker.

    However, if the attacker manages to inject javascript somewhere, that javascript could figure out the session cookies and other stuff. And that is why javascript is such a risk.

    To reduce such risks, I proposed years ago to the W3C and browser makers to have an HTML tag that disables active content, but nobody really seemed interested.

    Example:
    <shieldson lock="randomstring" allowed="java,vrml,svg" />
    disallowed material disabled
    <shieldsoff lock="randomstring"/>

    The attacker has to guess "randomstring" in order to inject active content that's not specifically allowed between <shieldson> and <shieldsoff>. Otherwise the browser will just ignore it (and/or log an error).

    Without such tags, HTML is like driving a car with 100 accelerator pedals, but not a single brake pedal. To stop you need to make sure that ALL 100 accelerator pedals are not pressed.

    Various people have said: "Just escape stuff correctly". But I think the evidence is that even though in theory people can make sure all 100 "Go" pedals are "escaped", in practice that doesn't happen well enough.

    Furthermore, if someone comes up with a new "Go" tag #101, your old escaping libraries might not escape it correctly. Whereas my proposed "brake" tag will have a "default deny" behaviour, the browser should only allow specified active content. So any new type of active content that slips through escaping will still be ignored.

    In my opinion the browser makers and browser language makers are not really interested about security.

    Oh well...

    --
    1. Re:There are a lot of things that can be done by Spazntwich · · Score: 2, Funny

      This plan sounds about as effective as protecting your website's content by disabling right-click with javascript.

    2. Re:There are a lot of things that can be done by Anonymous Coward · · Score: 0

      So true... I always thought that the [dynamic] image signatures in most forums were somewhat dangerous. They only allow images usually, as in: they check the extension. But anyone can have some javascript with a jpg or png extension, served with another mime type (or you can use URL rewriting or whatver you want). Easy XSS! Could be used to steal passwords, track IPs and everything. Probably wouldn't ever be noticed either (answer in one popular thread while having that as a signature, and you'd get LOTS of people as they read your reply - or post something stupid in the "site problems" section and have the site admins and mods read it to get their passwords...)

    3. Re:There are a lot of things that can be done by Anonymous Coward · · Score: 0

      Eh, what? I thought it sounded quite reasonable. The trick will of course be to implement the allowed-attribute in a reasonable way, and get the browsers to implement it.

    4. Re:There are a lot of things that can be done by Spazntwich · · Score: 1

      Exactly my point. Hackers (term used very loosely) won't want this "feature" enabled in their browsers, and thus there will be plenty of browsers ignoring this tag. All it takes is one browser ignoring said tag before it becomes useless.

      I'm no programmer, but even I know you don't blindly trust input from a client. This feature might give web developers a false sense of security and lead to further security holes while offering zero real benefit.

    5. Re:There are a lot of things that can be done by Anonymous Coward · · Score: 0

      That's why smart people use firefox & noscript

    6. Re:There are a lot of things that can be done by TheLink · · Score: 1

      "That's why smart people use firefox & noscript"

      Hey I surf with javascript turned off too[1].

      BUT I do see valid uses for javascript. If my proposal is implemented, I wouldn't mind enabling javascript for some sites that I trust, IF I see they are using that tag to "disarm" content that comes from 3rd parties who I don't necessarily trust (it would be fairly easy to check).

      That way I can have the features of javascript and know that it would be much harder for an attacker to inject malicious javascript into the site and have it execute on MY browser (if it supports the tag).

      A paranoid website would even enclose nearly ALL its _own_ content and only enable trusted snippets of active content.

      [1] At home when I need javascript etc or am browsing a less trusted site I use a browser in a virtual machine. At work, for normal sites I use a browser running as a different user.

      --
    7. Re:There are a lot of things that can be done by Firefly1 · · Score: 1

      Most url shortening sites allow you to add /blah.jpg to the shortened url without grumbling, and they will just append /blah.jpg to the final expanded URL.
      Question: what purpose, exactly, do these 'URL shortening sites' serve? It seems to me that the length of a URL is pretty much irrelevant, given that you can copy and paste the things. Bonus for Opera users: said browser semi-automates the process of copying a URL from, say, an email and opening it in a new window: highlight URL, right-click, choose 'Go to URL...' from the context menu.
      --
      - White Knight of the Order of Mihoshi Enthusiasts
  3. It wouldn't be the first time by arlo5724 · · Score: 1

    Remember when Lieberman's website was molested?

    1. Re:It wouldn't be the first time by Anonymous Coward · · Score: 1, Informative

      Remember when Joe Lieberman's staff lied about his site being hacked and it turned out he just paid for cheap web service and got just what he paid for? And then he cried to the FBI who also found nothing happened:

      http://www.tpmmuckraker.com/archives/002200.php

  4. Hackers = America hatin' terrorists? by cno3 · · Score: 3, Interesting

    Why plug the holes? Blaming "the other guy" for a malicious attack on your web presence makes for such good press.

  5. I dare someone by ReidMaynard · · Score: 3, Funny

    I dare someone to photoshop moustashes on the candidates pics....

    --
    -- www.globaltics.net

    Political discussion for a new world

    1. Re:I dare someone by mstahl · · Score: 1

      Double-dare. Extra points if it's Hillary.

    2. Re:I dare someone by ReidMaynard · · Score: 1

      I double-dog-dare you

      --
      -- www.globaltics.net

      Political discussion for a new world

  6. Why are these vulnerabilities? by Anonymous Coward · · Score: 0

    So what the user can inject code into their own browser. What difference does it make? The client is going to hack themselves? Where is the vulnerability?

    1. Re:Why are these vulnerabilities? by ip_vjl · · Score: 3, Informative

      It's because these are exploits that can be done transparently using nothing more than a carefully crafted hyperlink.

      Lets say a malicious blogger posts a story about candidate X. He links to a page on candidate X's site that has one of these vulnerabilities. But instead of just creating a normal link, he links in a way that passes some exploit code into the page that alters its behaviour or content. Maybe changing some page content, or injecting Javascript code that sends your cookies for that site to a handler on his blog so that he can collect login information.

      To Joe web user, he doesn't know anything is going on. His browser is reporting he is on the authentic Candidate X website (even if it was SSL) but is completely unaware that the content has been altered by a 3rd party, or that his login information is going to get sent to site Y instead of the typical login form handler, etc.

      It's not about smart users messing with the page for their OWN amusement, it's about being able to mess with someone else's page with nothing more than a hyperlink (in such a way that doesn't require "hacking" into an account on the local server. Now do you get it?

    2. Re:Why are these vulnerabilities? by Anonymous Coward · · Score: 0

      Still doesn't make sense. Being able to send data like that would require that the web site accept GET requests but 99% of the time sites only use the POST method.

    3. Re:Why are these vulnerabilities? by Anonymous Coward · · Score: 4, Informative

      Still doesn't make sense. Being able to send data like that would require that the web site accept GET requests but 99% of the time sites only use the POST method.


      Hmm. Let's see what Mitt Romney thinks of your theory.

      (disclaimer: probably not what Mitt actually thinks, but you never know.)
    4. Re:Why are these vulnerabilities? by goarilla · · Score: 1

      hahahahahahaha that's funny :D

    5. Re:Why are these vulnerabilities? by phase_9 · · Score: 1

      You realise it's not exactly difficult to send POST Vars to any website of your choosing? A good designer will check that the POST requests originate from their own server, but alas, not everyone is as "on the ball".

  7. Bleh, XSS by Robert+Goatse · · Score: 0

    A few javascript alert boxes and every kid wit a DSL connection is a "hacker". It's a shame that 98/100 of the vulnerabilities out there are this lame ass cross site scripting. What happened to the good old fashioned buffer overflow?!

  8. XSS vulnerabilities by mdboyd · · Score: 1

    I've always felt that that they're pretty weak vulnerabilities. Yes they are vulnerabilities but I consider sql injection and remote code execution vulnerabilities much more dangerous. Doesn't someone need to visit your site in order to make the attack work?

    1. Re:XSS vulnerabilities by Lenneth-chan · · Score: 1

      I think it's a fairly good bet that there will be many many people visiting these sites.

    2. Re:XSS vulnerabilities by TheLink · · Score: 1

      They're not weak vulnerabilities if they happen on webmail sites, Amazon, Ebay and so on.

      All these sites display content from 3rd parties. If they screw up, or a popular browser screws up, pretty naughty stuff can happen.

      People complain that "one click buy" is not secure? Hah, you should see "zero click buy"[1] when it happens. And then there's bidding...

      Once you can sneak in significant amounts of arbitrary javascript, it's pretty much "pwn3d time".

      [1] Perhaps I should patent it, but it's so obvious to anyone in that field right?

      --
    3. Re:XSS vulnerabilities by Anonymous Coward · · Score: 0

      Many of these are very serious vulnerabilities. They allow for user's accounts and personal information to be stolen. I'm sure members of these sites would be mad if their blogs/profiles were suddenly vandalised. The attitude that cross-site scripting isn't serious is the kind of thing that causes these problems.

  9. Not limited to campaign sites by Anonymous Coward · · Score: 0

    This kind of security hole is really prevalent across the web. Campaign sites might be a little worse off because they've only been around for a few months and haven't been stung yet. Also, the political blogging communities just loves to post links to the latest interesting piece of news, gossip, or speculation from non-mainstream sources, so there are plenty of opportunities to slip in a link to a malicious site. If the damage is subtle enough, such as stealing cookies, it might not even be noticed for a while.

  10. Clinton in 2008!!! by PinkPanther · · Score: 1

    A blogger has found a collection of XSS vulnerabilities including the websites of Barack Obama, Joe Biden, John Edwards, Mitt Romney, John Cox, Newt Gingrich, Tom Tancredo
    Ms. Former (First?) Lady gets my vote...to bad for her that I don't have one, eh?
    --
    It's a simple matter of complex programming.
  11. Could be worse by greg1104 · · Score: 2, Funny

    This is nothing compared to all the holes and open ports I found last time I was at the whitehouse.com site.

  12. I think you misunderstand by TheLink · · Score: 1

    I think you misunderstand the usage.

    The feature I proposed is to help a site protect their users from 3rd party content being displayed on that site.

    3rd party content could be webmail being read, comments to a discussion site, search results, adverts.

    Say I only allow jpgs and gifs in avatars, so as site owner, I just have the HTML for the avatars looking something like:
    <shieldson lock="z34kv85mg925" allowed="image-jpg,image-gif" />
    <img src="http://3rdpartysite.com/hopefully/this/is/an/ avatar/image.jpg">
    <shieldsoff lock="z34kv85mg925" />

    Similar thing for sigs, posts, or webmail from spammers/hackers.
    <shieldson lock="ad6i5gmp02d" allowed="plain-html,plain-text" />
    potentially dangerous webmail message here
    <shieldsoff lock="ad6i5gmp02d" />

    Every now and then you hear Yahoo, MySpace, Gmail etc having problems with filtering out content that should not be active, or at least "that active" ;).

    If the tags I propose are implemented, they will be a good _safety_net_.

    The sites should still try to filter and escape stuff, but this is defense in depth. And it should be compatible with browsers that don't support it - they should ignore unknown tags.

    --
    1. Re:I think you misunderstand by Spazntwich · · Score: 1

      Yeah, you're right, I did misunderstand the hell out of your intention.

      This is why Slashdot needs an edit/delete post option. That and my oh so clever failure to close that italics tag.

    2. Re:I think you misunderstand by TheLink · · Score: 1

      Look on the bright side, you got modded up :).

      Anyway, the W3C, browser bunch didn't seem to get it either. Even had someone from Netscape saying: "a server-side library is a more robust solution".

      But sites are STILL supposed to use libraries etc to escape stuff! It's supposed to be an _additional_ measure. Argh!

      --
  13. Problem might be over-functionality by mutterc · · Score: 1

    The summary says that the attacks could compromise user accounts. This raises an interesting question... why do presidential-campaign websites even have accounts for members of the public? What non-cosmetic functionality does that provide that couldn't be done some other way?

    Full disclosure: The proliferation of websites that require accounts is a personal pet peeve. There are lots of places where I can't apply for a job or buy something without creating an account, leading to a nasty proliferation of passwords. I have an encrypted password-safe, but it's still annoying. There's no reason I couldn't just paste in data from a resume, or give a billing/shipping address and CC number each time.

    1. Re:Problem might be over-functionality by shalmaneser1 · · Score: 1

      The summary says that the attacks could compromise user accounts. This raises an interesting question... why do presidential-campaign websites even have accounts for members of the public? What non-cosmetic functionality does that provide that couldn't be done some other way? sites make you register to help them avoid comment spam. captcha is another alternative but then you have to make allowances for people with disabilities ( not to mention that they can be painful sometimes )