Security researcher says that About.com is vulnerable to XSS and Iframe Injection (XFS) attacks
About.com has some serious vulnerabilities which can be exploited by cyber criminals. Wang Jing, a security researcher from Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS) at Nanyang Technological University (NTU) in Singapore says that the vulnerabilities are serious and affect all subdomains of About.com.
Jing who disclosed the vulnerabilities on Monday on his blog Security Pitch and stated that “at least 99.88%” of all topic links and all domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks.
Jing says he informed About.com about the vulnerabilities in October, 2014 but failed to elicit any response from the administrators or the security team of About.com. He waited fro three months only to find that the vulnerabilities are still not patched. He stated while making the disclosure, “Until now, they are still unpatched.”
Jing added, “Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks too. This means all domains related to about.com are vulnerable to XSS attacks.”
In addition to the XSS and XSF vulnerabilities a new “Open Redirect” vulnerability related to about.com is introduced. Jing says that since About.com is a trusted domain and used by many other websites, the vulnerabilities can be used to perform ‘Covert Redirect’ attacks to other websites.
The XSF or the Iframe Injection vulnerability can be used for Denial of service against other websites. Jing said, “For the Iframe Injection vulnerabilities, can be used to do DOS (Denial-of-Service Attack) to other websites, too.”
A video of the Proof of Concept is given below :