Hacked by Digg Fans

By Ryan Naraine  |  Posted 2006-07-26 Print this article Print

The ongoing Digg versus Netscape spat has apparently escalated into a hacking attack that launched comical pop-up alerts and redirected users away from the new AOL social media site.

The ongoing Digg versus Netscape spat has apparently escalated into a hacking attack against America Onlines social media Web site.

Virus researchers at Finnish security vendor F-Secure discovered the hack during research work around cross-site scripting vulnerabilities on social networking sites and said the attack was obviously the work of Digg fans., which was relaunched in June 2006 as a hybrid news site combining editor-driven news and user-submitted stories, has been panned as a blatant rip-off of Digg, the social news site that popularized the concept of swarms of users voting on the value of news articles.

The verbal tiff between the rival sites escalated in recent weeks when Netscape.coms Jason Calacanis offered to pay Diggs top submitters, prompting a sharp rebuttal from Digg founder Kevin Rose.

In the cross-site scripting attacks, visitors to encountered JavaScript pop-up alerts with comical pro-Digg messages and, in some cases, were redirecting visitors to Digg.

"Attackers (who are obviously fans of Digg) have used the XSS vulnerability to inject their own JavaScript code snippets into pages on the website, including the homepage," said a note posted by F-Secure anti-phishing researcher S.G Masood.

Click here to read about PayPals struggle with a cross-site scripting flaw. "Fortunately no one has tried to inject malicious code, yet," Masood added.

America Online spokesperson Andrew Weinstein confirmed that a weakness in the user submission process led to the exploit, which affected the site "for a few hours, in the middle of the night."

"The [] site wasnt adequately filtering story submission from users. Some users were able to submit stories with code that had the cross-site scripting exploit," Weinstein said in an interview with eWEEK.

He confirmed that the code was being used to redirect users to rival Digg.

"Weve fixed the filtering process and will continue to review the site to strengthen the quality of the service for all our users," Weinstein added.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel