An independent security researcher questioned the links and domains associated with About.com and found that virtually everything was vulnerable to cross-site scripting (XSS) and cross-frame scripting (XFS, iframe injection) attacks.
About.com is one of the largest content repositories of experts designed to answer questions on issues related to food, health, money and technology, entertainment, career, child upbringing and sport. About 100 million users are looking for information each month on the information portal.
Wang Jing, a PhD student at Nanyang University of Technology in Singapore (Mathematical Sciences - MAS, School of Physics and Mathematical Sciences), created a program that is used to check 94.357 links associated with About.com for security blanks.
The result was that “at least 99,875% of the links are vulnerable to attack XSS and Iframe Injection ”.
The investigator also found that the search field on the main page could be used in XSS attacks and concluded that all relevant fields also have the same vulnerability.
XSS vulnerabilities are the most common on the internet, but they are also the most dangerous as exploiting them can lead to theft of user information such as session cookies and login data. This happens by sending a specially created link to the victim, which contains commands that allow access to the content of the user in the browser.
For a successful XFS (iframe injection) attack, information from one domain must have access to resources from a different domain. However, web browsers incorporate what is called same-origin policy (SOP), which prevents the mixing of information from different origins.
Hence, unless the browser has a SOP security snap, such as what was reported about it Internet Explorer, the XFS attack is unsuccessful.
Jing said on a blog post on Monday that he reported his findings on About.com at 19 Oct 2014 but received no answer. He also claims that security update has not yet been implemented.
However, the web browsers used by the investigator in its tests (IE 10, Firefox 34 and 36, and Chromium 39) are now outdated.
Testing the proof-of-concepts provided by Jing on IE 11 and its most recent versions Firefox and Google Chrome either generate a 404 error (the page was not found), or trigger a notification from About.com about the malicious attempt, which suggests that the administrators have already worked to protect visitors.
How useful was this post?
Average rating / 5. Vote count:
No votes so far! Be the first to rate this post.