Digg.com is vulnerable to another XSSWritten by DPMonday, 26 March 2007Brendandonhue from xssblog.com, notified us about a cross-site scripting vulnerability which he discovered on Digg.com - the popular user driven social content website. Malicious people can exploit this vulnerability to compromise user accounts and perform cross-site request forgeries (CSRF) - for example, when an attacker forces the victim to Digg his story. Although Brendan submitted his finding to Digg, Digg seemed to not like the full disclosure and deleted it.
The vulnerability has since been fixed and we cannot reproduce it as we are not 100% sure that it existed. We only mirror affected websites which are submitted to XSSed or sent to us via e-mail while the vulnerability still exists. We are glad that it didn't take them too much time to fix it... ;-)
You can read Brendan's explanation of the XSS vulnerability here: http://xssblog.com/?p=5
Digg has been xssed a few times in the past:
http://www.oreillynet.com/onlamp/blog/2005/11/digg_vulnerable_to_xss.html
http://ha.ckers.org/blog/20060628/digg-is-vulnerable-to-xss/
|