XSS, XFS, Open Redirect Vulnerabilities Found on About.com
Posted on February 3, 2015 by Kara Dunlap in Security
About.com, the online resource website visited by tens of millions of users each month, is plagued by several types of potentially dangerous vulnerabilities, a researcher revealed on Monday.
According to Wang Jing, a PhD student at the Nanyang Technological University in Singapore, a large majority of the pages on About.com are vulnerable to cross-site scripting (XSS) and cross-frame scripting (XFS/iFrame injection) attacks.
The expert tested close to 95,000 About.com links with a script he developed and determined that at least 99.88% of them are vulnerable. The search field on the website’s homepage is also plagued by an XSS flaw which, according to Jing, means that all the domains related to about.com are vulnerable to XSS attacks.
In order to exploit XSS vulnerabilities, an attacker needs to convince the victim to click on a specially crafted link. XSS attacks can be used to alter the appearance of a website, access potentially sensitive information, and spy on users.
XFS attacks can be used to steal data from websites accessed by the victim. For the attack to work, a malicious actor must get the user to access a Web page he controls. Such vulnerabilities can also be exploited for distributed denial-of-service (DDoS) attacks, the expert noted.
Jing has also identified open redirect bugs on several About.com pages. The vulnerabilities can be leveraged to trick users into visiting phishing and other malicious websites by presenting them with a link that apparently points to an about.com page.
“The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7,” the researcher said in a blog post.
About.com was notified of the existence of the vulnerabilities back in October 2014, but so far the company hasn’t done anything to address them, the researcher said. About.com hasn’t responded to SecurityWeek’s requests for comment.
Poof-of-concept (PoC) videos for the XSS vulnerability on the About.com homepage and the open redirect flaw have been published by the researcher.