Symantec 'Hack Is Wack' Website Fixed

 
 
By Brian Prince  |  Posted 2010-09-07
 
 
 

Symantec has cleaned up vulnerabilities in the Website for its "Hack is Wack" contest.

The contest is a partnership between the security vendor and rapper Snoop Doggy Dogg to promote computer security and Symantec's Norton products. Aspiring rappers are asked to post a rap video about cyber-crime, with the creator of the best video winning tickets to a Snoop concert, a Toshiba laptop, hotel accommodations and a meeting with his management team.

However, the "Hack is Wack" site had a number of security holes the vendor was recently forced to close. According to security researcher Mike Bailey, the Website contained problems ranging from cross-site scripting to cross-site request forgery.

"For example, there's the publicly available, indexed cache directory with all that SQL, JSON and other data," he blogged Sept. 2. "There's the XSS vulns (HTML5 only, though it should be simple enough to rewrite), CSRF holes, and the Flash upload issues in the video upload script (a Joomla module that appears to have been used without any quality control or review despite the fact that it's currently in Alpha)."

There were also cross-site request forgery issues in the voting system for uploaded videos.

"Symantec was made aware of reported vulnerabilities to the Norton Hack is Wack microsite, and we quickly took the necessary steps to enhance security on the site," a spokesperson said in a statement to eWEEK. "To date, Symantec can confirm that no company or customer data has been compromised or exposed. Symantec takes the security of our website and microsites very seriously, and we have taken the necessary steps to resolve this issue."

The contest ends Sept.30.

Rocket Fuel