Phaithful sent me this link to Threadwatch talking about Netscape’s recent cross site scripting hole. This attack went beyond just a simple XSS proof of concept, but rather, changed the face of Netscape by creating a dialogue box with an obscenity in it. Pretty bad for your brand, I’d say. It appears to be fixed, but it just goes to show how serious these types of web application security issues can be for your branding, let alone what the attackers could have done, given how many people have that set to their homepage. The potential for disaster is tremendous, if it had been used in a more destructive manner, than a simple defacement.
The stored cross site scripting attack vector may not be the most common, but in this case it was probably one of the most dangerous. Here is David “Aesthetico” Vieira-Kurz’s explanation of the hack (I do not believe he was the one who defaced them, but he was the one to disclose).