CYBER NEWS

75% of the Websites on Weather.com Vulnerable to Cross-Site Scripting Attacks

Application vulnerability on the official website of The Weather Channel exposing almost all links to cross-site scripting attacks has been addressed recently.

The discovery that over 75% of the websites on Weather.com were vulnerable was made by Wang Jin, a student at the Nanyang Technological University in Singapore.

In order to execute a script, the attacker simply has to add it at the end of the URL of The Weather Channel, explains Wang.

The findings made the student were posted on the Full Disclosure forum. He stated that he used a custom tool to test numerous links on weather.com, and even posted a video of an attack.

According to the Open Web Application Security Project, cross-site scripting is ranked third among the most common types of web application flaws in the past year. Such vulnerabilities appear when untrusted data is accepted by the application. This way the app is redirected to a web browser without being validated.

Cross-site scripting allows cyber criminals to execute script in the browser of the victim, capable of hijacking user sessions, redirecting the computer user to corrupted websites or defacing web pages.

Wang reported that the attack worked without a user being logged in. For his test-attack, he used IE 9.0.15 on Windows 7 and Firefox 26 on Ubuntu 12.04.

XSS attacks

Avatar

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...