Application vulnerability on the official website of The Weather Channel exposing almost all links to cross-site scripting attacks has been addressed recently.
The discovery that over 75% of the websites on Weather.com were vulnerable was made by Wang Jin, a student at the Nanyang Technological University in Singapore.
In order to execute a script, the attacker simply has to add it at the end of the URL of The Weather Channel, explains Wang.
The findings made the student were posted on the Full Disclosure forum. He stated that he used a custom tool to test numerous links on weather.com, and even posted a video of an attack.
According to the Open Web Application Security Project, cross-site scripting is ranked third among the most common types of web application flaws in the past year. Such vulnerabilities appear when untrusted data is accepted by the application. This way the app is redirected to a web browser without being validated.
Cross-site scripting allows cyber criminals to execute script in the browser of the victim, capable of hijacking user sessions, redirecting the computer user to corrupted websites or defacing web pages.
Wang reported that the attack worked without a user being logged in. For his test-attack, he used IE 9.0.15 on Windows 7 and Firefox 26 on Ubuntu 12.04.