Pierluigi Paganini
February 03, 2015
Wang Jing, a PhD student at the Nanyang Technological University in Singapore has discovered that the majority of the web page of About.com are vulnerable different types of attacks, including cross-site scripting (XSS) and iFrame injection (Cross Frame Scripting) .
Wang Jing has analyzed nearly 95,000 About.com links by using a script he developed and discovered that at least 99.88% of them were affected by the security flaws, the news is very disconcerting if we consider that the website is by tens of millions of users each month .
Even the search field on the main homepage is affected by an XSS flaw and as explained by Jing, all the domains related to about.com result affected by the same vulnerability.
The exploitation of the XSS flaw is possible by tricking the user into clicking on a specially crafted link and could be used by an attacker to steal sensitive information from the victims.
“About.com all “topic sites” are vulnerable to XSS (Cross-Site Scripting) and Iframe Injection (Cross Frame Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. Meanwhile, some about.com main pages are vulnerable to XSS attack, too. This means no more than 0.125% links are not affected” wrote Jing. “Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks, too. This means all domains related to about.com are vulnerable to XSS attacks.”
The expert also discovered that About.com is vulnerable to Iframe Injection that could be used to steal sensitive data or to turn the victim’s machine in a bot that is abused to run a DDOS (Distributed Denial-of-Service Attack) against other websites.
“In an XFS (Cross-frame-Scripting) attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker’s page loads a third-party page in an HTML frame; and then JavaScript executing in the attacker’s page steals data from the third-party page.” (OWASP)
Wang Jing also discovered some “Open Redirect” vulnerabilities related to about.com that could be exploited by attackers to do “Covert Redirect” to websites controlled by scammers and phishers that display a site that appear as legitimate that could be used for various kinds of attacks.
“The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7,” Jing added in the bog post.
The sad thing is that according to the researcher, despite he has reported the flaws to About.com in October 2014, the company ignored him.
(Security Affairs – About.com, hacking)
