Flixster Apparently Sells Viagra Online

Popular movie recommendation service Flixster has what appears to be a huge security hole in their commenting system. This morning we had over 100 spam emails in our inbox which all contained links to Flixster. The links look something like this:

www.flixster.com/friends.do?displayRatings=&friendsUserId=821854498&buy-viagra-online
(do not paste the link in as it may contain spyware or worse)

When you visit this link, the page appears for an instant then another instant later is taken over by an order viagra page. Checking with our security consultants, it appears this security hole is a cross side scripting (xss) hack. We were able to easily duplicate the issue but for obvious reasons we will not share how it’s done.  We have alerted Flixster staff about this security hole and will update this post once we hear back.

Compete reports U.S. Flixster traffic for March at 2.5 million unique visitors, down from 5 million in January.

 Here’s an example of a hacked page: