Security researcher says that is vulnerable to XSS and Iframe Injection (XFS) attacks has some serious vulnerabilities which can be exploited by cyber criminals.  Wang Jing,  a security researcher from Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS) at Nanyang Technological University (NTU) in Singapore says that the vulnerabilities are serious and affect all subdomains of

Jing who disclosed the vulnerabilities on Monday on his blog Security Pitch and stated that “at least 99.88%” of all topic links and all domains related to are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks.

Jing says he informed about the vulnerabilities in October, 2014 but failed to elicit any response from the administrators or the security team of  He waited fro three months only to find that the vulnerabilities are still not patched.  He stated while making the disclosure, “Until now, they are still unpatched.”

Jing added, “Simultaneously, the main page’s search field is vulnerable to XSS attacks too. This means all domains related to are vulnerable to XSS attacks.”

In addition to the XSS and XSF vulnerabilities a new “Open Redirect” vulnerability related to is introduced.  Jing says that since is a trusted domain and used by many other websites, the vulnerabilities can be used to perform ‘Covert Redirect’ attacks to other websites.

The XSF or the Iframe Injection vulnerability can be used for Denial of service against other websites.  Jing said, “For the Iframe Injection vulnerabilities, can be used to do DOS (Denial-of-Service Attack) to other websites, too.”

A video of the Proof of Concept is given below :


Please enter your comment!
Please enter your name here