On the eve of the much anticipated Pennsylvania Democratic Primary, we received public reports of a series of cross-site scripting vulnerabilities that affected Barack Obama's campaign Web site. We also saw reports of these vulnerabilities being disclosed publicly on the XSSed.com Web site. The corresponding code to exploit the vulnerabilities was used to redirect users to Hillary Clinton’s Web site.
Who says attackers don’t have a sense of humor? While a couple of these vulnerabilities were shored up before we could investigate them, we were able to examine some for validity.
At a high level, what appears to have happened is that an attacker took advantage of the fact that certain parts of the Obama campaign site allows users to post content, for example, in the form of community blog postings. While most users take advantage of such features to post political commentary, at least one user decided to try posting something more insidious.
Here’s how such attacks typically work. When one posts any text to an online forum or discussion board, that text is stored in a database, and then subsequently rendered onto the Web browser window of anyone who visits that site and tries to read that post. Instead of trying to post legitimate text to a Web site, an attacker might try posting actual code. When someone visits the site and views the corresponding post, rather than rendering the text, the Web browser might try to execute the corresponding code.
The results may not be so desirable for the person visiting the site. In the case of the alleged attack on the Obama Web site, the attacker posted code that would cause the person trying to view the post to be immediately directed to Hillary Clinton’s Web site.
However, it’s important to keep in mind that such vulnerabilities could have more serious implications. For example, an attacker could attempt to post code that will lead users to a Web site that might exploit a vulnerability on their Web browsers, and subsequently download malicious software on to their machine. Along similar lines, an attacker can inject content that tricks users into divulging sensitive information by leveraging the trust people afford to the original site. One example would be asking for a credit card number in order to process an online donation.
However, given the high profile nature of the Web sites involved, it’s quite likely that such attacks will be caught quickly. And to the credit of the Obama campaign, that seems to have happened here.
We have seen examples of such cross-site scripting attacks before (http://www.symantec.com/enterprise/security_response/weblog/2006/07/phishing_and_crosssite_scripti.html).
We have long believed that with the increased use of the Internet by political campaigns, such types of abuse are likely to keep happening. It’s important to keep in mind that attacks on one candidate’s Internet presence may have little to do the with the relative security of the other candidate’s sites. The reality is that attackers often like to go after higher profile and otherwise very popular targets.
Oliver Friedrichs wrote an excellent blog post (http://www.symantec.com/enterprise/security_response/weblog/2007/10/cybercrime_politics.html) on this topic. A more detailed exposition of Oliver’s findings on cybercrime and politics can be found in chapter 10 of the Crimeware text that we just released (http://www.crimeware-book.com).
With people closely watching the heated contest to determine the next U.S. President, you can bet that this won’t be the last time such attacks happen.