Barack's donor data may be safe, but site was not properly secured

Mar 4
12:08

2010

M Frizzi

M Frizzi

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

I recently reported on donate.barackobama.com being hacked. While Blue State Digital and the Democratic Nationinal Committee may disagree, I stand by the statement. It was clear that something was incorrectly configured, whether the data that was exposed belonged to Obama's team or not

mediaimage

I recently reported on donate.barackobama.com being hacked.While Blue State Digital and the Democratic Nationinal Committee may disagree,Barack's donor data may be safe, but site was not properly secured   Articles I stand by the statement.It was clear that something was incorrectly configured, whether the data that was exposed belonged to Obamas team or not.In his report for the Washington Post, Brian Krebs called the hack a hoax.The best analysis I can find on what Unu encountered when he stumbled upon Roosevelt Universitys calendar database was posted at the Praetorian Prefect blog.So what actually happened? It appears that the secure areas of barackobama.com (those that use HTTPS:/) had an open redirector that could be used to proxy all traffic through the Obama website.While the sites data itself may not have been compromised, the site was still not properly secured.As the folks at Praetorian pointed out, there are several ways to exploit this flaw that could affect the security of my.barackobama.com users.Web browsers protect cookies by allowing only the originating domain to read those cookies later.When you log in to my.barackobama.com, the site sets a cookie to remember who you are as you blog, plan fundraisers, and plan events.The proxy capability provided by the smartproxy functionality that was left open could allow an attacker to direct you to a link that appears to be part of barackobama.com, yet leads you to their website proxied by the Obama server.Your browser would then allow the third party site to read any cookies set and allow the attacker to impersonate you on the barackobama.com website. Fortunately, Obamas site did not store logins for the donation area, and it appears only my.barackobama.com was vulnerable to being hijacked.Obamas team and Blue State Digital went to great lengths to downplay this issue, but the fact remains that the insecure practice of allowing unfettered proxy traffic could pose a real risk.A user of pastebin discovered through a simple Google search that many sites that are hosted by Blue State Digital contain the same unrestricted proxy code.At the time of writing, the code on Blue State Digitals servers appears to be restricted to a limited number of authorized domains.Spammers have used redirectors like the one found on Blue States sites to scam users for many years now.It allows them to send out URLs that are arguably legitimate to an innocent surfer and still redirect them to something that is malicious and may steal data from the intermediate website.People also use unauthenticated proxies to subvert corporate or school proxy systems that block sites based upon their reputation or content.By manipulating the URL, you could surf anything on the web through an HTTPS session that is unlikely to be blocked by any web filtering solutions.If you host or design your own websites, be sure to restrict any code you use to redirect users to other sites to prevent these type of attacks.The cost to you may be more than your cookies, not to mention the bandwidth consumed by people who may use your site as a free proxy service.To prevent your users from accidentally being redirected to malicious content through a URL that appears to be from a safe and reputable web destination, be sure you have web filtering technology that can look into HTTPS trafficFree Articles, and perform proper malware filtering that is not just reputation-based.Its never fun to lose your cookies.