Digg fans hack copy-cat Netscape

Netscape.com falls victim to cross-site scripting attack

Written by Tom Sanders in California

vnunet.com, 27 Jul 2006

Online vandals have hacked the Netscape.com service using a cross-site scripting attack.

The site was recently relaunched as a social book-marking service. It is generally considered a copy of the popular Digg.com website.

Netscape visitors on Wednesday were presented with pop-up messages, one of which stated: 'This site sucks. Go here instead'. Clicking on the message led users to Digg.com.

The Netscape service allows users to nominate news items that they believe should be featured on the site's front page. The attackers added JavaScript code into their submissions to trigger the pop-ups.

Cross-site scripting attacks form a growing threat for online applications. Google repaired a vulnerability in its Gmail service earlier this year that executed JavaScript pasted into an email message.

The vulnerability could have allowed an attacker to gather email addresses from the user's address book or gain full access to an account.

Cross-site scripting attacks are easily prevented by scrubbing submissions for JavaScript and other code, or by preventing all code from being executed.