digg

Facebook Connect Join Digg About

(Pic) Netscape says "*****" when you visit Digg tagged items

img82.imageshack.us Shortly after registering a user name on Netscape I went to visit the Digg tagged items on the site and this rather wierd pop up came up.

Who dugg this? Made popular Jul 26, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

45 Comments

show profanity settings
expand all
  • eplawless, on 10/12/2007, -0/+35YES! THAT WAS ME! THAT ***** WORKED!
    It's an XSS vulnerability, and they delete my stories every time I try to report it. So I've taken to introducing proofs of concept in case someone notices. :)

    I put ' www.digg.com">[script]alert("*****");[/script] ' as the url, with, you know, html brackets...
  • eplawless, on 10/12/2007, -0/+29The irony is that Netscape originally invented Javascript
  • mightymouse, on 10/12/2007, -0/+12It also says, "Hi to all you diggers out there ;)"

    here: http://static.flickr.com/72/198672941_732e4e43e1_o.jpg
  • judsond, on 10/12/2007, -0/+10weird, verified, seems to be in safari only, didn't work for me in firefox.
  • titlesaysitall, on 10/12/2007, -0/+10How, I don't have Photoshop and others have verified this.
  • titlesaysitall, on 10/12/2007, -1/+10I even told Jason himself on AIM about it.
  • jetsetsteve, on 10/12/2007, -0/+7hey - sorry, man - your article was actually up before the one i linked from the dupe above. my bad!
  • stephen2417, on 10/12/2007, -0/+7Cool, they don't filter javascript!
  • judsond, on 10/12/2007, -0/+7More on Wikipedia:
    http://en.wikipedia.org/wiki/Cross_site_scripting
  • cdgore, on 10/12/2007, -0/+7It worked for me in Firefox.
  • npdcrazypyro, on 10/12/2007, -0/+5Since it will probably be fixed soon, here's a video of it in action. (sorry for the Youtube blurriness :P)
    http://www.youtube.com/watch?v=HGbAQZv1mcw
  • overksam, on 10/12/2007, -1/+6talk about over thinking it.
  • jbus, on 10/12/2007, -0/+5All I did was click on the link and I got the "*****" pop-up. Firefox 1.5 on ubuntu here
  • judsond, on 10/12/2007, -0/+5no, it is real, i looked through the js you can see and didn't see anything fishy, but that doesn't mean a whole lot.
  • titlesaysitall, on 10/12/2007, -0/+4-Link http://www.netscape.com/tag/digg/
  • titlesaysitall, on 10/12/2007, -0/+4Other are able to replicate it!!
  • eplawless, on 10/12/2007, -0/+4Sorry, the link didn't work for a bit because they deleted it; it's back now ;)
  • vdxc, on 09/29/2008, -1/+4hilarious, but they've removed it now.
  • titlesaysitall, on 10/12/2007, -0/+3Well at their site you click Digg under tags to the left and it shows it.
  • cadich, on 10/12/2007, -1/+4haha this is awesome, they really are pathetic
  • Emerica, on 10/12/2007, -0/+3This is one situation where you would have hoped that they spent more time securing their code. This is a simple attack which really shouldn't happen and I'm pretty sure Kevin's team has looked into such basic security problems. I'm not trying to say theres no room for such an attack, but I'm sure with the spam problems, botting and users like you, they have worked through such problems.

    I didn't really know where to put my opinion on this whole digg vs ns topic until now.
    They should do as Kevin has suggested, put the money into developing the site instead of buying off people to write/link to content. Build a good site, if you have want people want or like, they will stay or at least visit both more often.
  • exhilarator, on 10/12/2007, -0/+3It seems some guy has exploited the vulnerability in netscape comment system and pushed a story to the front page.. with the title
    " Unbearable Cuteness". Now the popup comes even if you reach their homepage.
  • extremus, on 10/12/2007, -0/+3I want to know the rate of reproducibility of this message and the variables needed to produce it. Is it a continuous or discrete variable? Any ideas about the probability of this message occurring? Seems to me like it won't appear all the time and some extra user actions are needed. Not ruling out this could be some scam though. Will this target IE users also, you know Netscape versus IE.
  • darkecho, on 10/12/2007, -0/+2http://www.netscape.com/tag/digg/ (no s on tag)
  • inactive, on 10/12/2007, -0/+2Its real alright. I use FF 1.5 on XP and up it pops.

    http://i35.photobucket.com/albums/d165/zybch/Image3-1.jpg
    http://i35.photobucket.com/albums/d165/zybch/Image2-1.jpg
  • joebone, on 10/12/2007, -0/+2no they haven't :p (http://www.netscape.com/tag/digg/) - the offending code causing it is below :) in the linkOut's href he just used HTML encoded javascript - like a HTML SQL Injection attack :p quite entertaining heh

    Cute Bunnies
  • argash, on 10/12/2007, -0/+2Doing a search for "Digg" also works. Dont just have to click the tag.

    Firefox 1.5 here btw for those keeping track
  • jammen, on 10/12/2007, -0/+2i got that popup message following that link, so it's still there.
  • AgentBuckwald, on 10/12/2007, -0/+1It works for me in Camino.
  • chrismcelligott, on 10/12/2007, -0/+1Worked for me in Safari too, nice find :)
  • t3hX, on 10/12/2007, -2/+3WTF? Can you provide clearer instructions on how to do this?
  • titlesaysitall, on 10/12/2007, -0/+1This left the que but it is no where on the front page! WTF!!
  • TomP, on 10/12/2007, -5/+6Heh silly Netscape won't beat digg :)
  • robertgoodwin, on 10/12/2007, -0/+1Hmmm... I'm not getting the popup using Firefox 1.5.0.1 on XP. I wonder what's up with that?
  • mateo60, on 10/12/2007, -0/+1Here is a screenshot of the offending code:

    http://obeytherobots.com/files/code.gif
  • mateo60, on 10/12/2007, -0/+1Damn you! I was about to post that. I thought I had a scoop! ;)

    It happened to me in FF, IE, & Opera.

    I think they've fixed the problem. It looks to be related to the recent hacker attack.
  • vdxc, on 09/29/2008, -1/+2works in ie as well
  • consumption, on 10/12/2007, -0/+0why does

    "http://search.netscape.com/ns/search?query=alert("MajorSecurity")"

    work on the site but not something like:

    "http://search.netscape.com/ns/search?query=alert("Test")"
  • peaceburn, on 10/12/2007, -0/+0I've been "*****"ed too :-D ... these AOL guys went nutz :)
  • schestowitz, on 10/12/2007, -2/+1
    Can't reproduce this...

    http://www.netscape.com/tags/digg/

    Not Found

    The requested URL /tags/digg was not found on this server.
  • jetsetsteve, on 10/12/2007, -6/+0DUPE: http://digg.com/tech_news/NETSCAPE_HACKED
  • inactive, on 10/12/2007, -12/+2OH MAN. This is bad news. The hacker basically implicated Digg.com. Does anyone have any idea how much flack the digg management is going to get for this? Does anyone really believe that the Digg code isn't vulnerable to a hack? If Netscape and Digg got into a hack war both sites will be *****. And seeing as Digg.com is much more popular than Netscape but Netscape has way much more money behind it than Digg.com, this can get really ugly really fast. Lawsuits and the public relations. This is bad.
  • inactive, on 10/12/2007, -14/+1photoshop indeed i can see the gaps ...
  • inactive, on 10/12/2007, -15/+2or you photoshopped this.
  • jetsetsteve, on 10/12/2007, -17/+1DUPE: http://digg.com/tech_news/NETSCAPE_HACKED

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.