Print this article  |  E-mail this article  |  Comment on this article

AOL Fixes Netscape.com XSS Hack

By Nate Mook, BetaNews

July 26, 2006, 3:00 PM

AOL's newly launched user-driven Netscape.com fell victim to a cross-site scripting (XSS) attack early Wednesday, the result of the site not properly sanitizing submitted news stories. Visitors to Netscape.com encountered crude pop-up messages and redirects to rival site Digg.

The problem stemmed from inadequate filtering of stories, which did not strip out JavaScript code that exploited an XSS issue. "The site was never compromised," an AOL spokesperson told BetaNews. "The issue lasted a couple hours before it was fixed." The company says it does not believe any malicious code was submitted during that timeframe.

Add a Comment (3 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By GCoder

posted Jul 26, 2006 - 3:49 PM

lol@ "microsoft like security"

Score: 0

By The MAZZTer

edited Jul 26, 2006 - 3:42 PM

Hmm, this is why you should filter all user-submitted HTML content with a WHITELIST, not a blacklist.

With a blacklist you strip out unwanted elements, but there is always the chance that you missed one, such as in this case.

With a whitelist, you only list permitted items, everything else is stripped out. In this case, if you miss something, the worst that happens is something is stripped out that doesn't need to be. No security exploit. And of course it can always be added later to the whitelist.

I should probably add that my mom has used netscape.com as her homepage for years (if only because she was used to using Netscape) and when they introduced the Digg competition stuff she thought it was stupid, and I helped her set up a Google Personalized Page.

I was glad she switched, but now I realize it would have happened sooner or later, if she had still been using netscape.com now... heh.

Score: 0

By crashoverride

edited Jul 26, 2006 - 3:36 PM

I'm, sure the people that actually use this didn't think it was funny but.......excuse me

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue