The ongoing Digg versus Netscape spat has apparently escalated into a hacking attack against America Onlines Netscape.com social media Web site.
Virus researchers at Finnish security vendor F-Secure discovered the Netscape.com hack during research work around cross-site scripting vulnerabilities on social networking sites and said the attack was obviously the work of Digg fans.
Netscape.com, which was relaunched in June 2006 as a hybrid news site combining editor-driven news and user-submitted stories, has been panned as a blatant rip-off of Digg, the social news site that popularized the concept of swarms of users voting on the value of news articles.
The verbal tiff between the rival sites escalated in recent weeks when Netscape.coms Jason Calacanis offered to pay Diggs top submitters, prompting a sharp rebuttal from Digg founder Kevin Rose.
In the cross-site scripting attacks, visitors to Netscape.com encountered JavaScript pop-up alerts with comical pro-Digg messages and, in some cases, were redirecting Netscape.com visitors to Digg.
“Attackers (who are obviously fans of Digg) have used the XSS vulnerability to inject their own JavaScript code snippets into pages on the website, including the homepage,” said a note posted by F-Secure anti-phishing researcher S.G Masood.
“Fortunately no one has tried to inject malicious code, yet,” Masood added.
America Online spokesperson Andrew Weinstein confirmed that a weakness in the Netscape.com user submission process led to the exploit, which affected the site “for a few hours, in the middle of the night.”
“The [Netscape.com] site wasnt adequately filtering story submission from users. Some users were able to submit stories with code that had the cross-site scripting exploit,” Weinstein said in an interview with eWEEK.
He confirmed that the code was being used to redirect users to rival Digg.
“Weve fixed the filtering process and will continue to review the site to strengthen the quality of the service for all our users,” Weinstein added.