Indian Security researcher Deepanker Verma claims to have uncovered cross-site scripting (XSS) and iFrame injection vulnerabilities on the shopping website of AOL.
According to the expert, cybercriminals could leverage these flaws to steal user cookies and hijack sessions.
To demonstrate the fact that iFrames can be injected into the AOL Shopping website, Verma has added an iFrame that points to his own site (see screenshot).
“This is a popular shopping website with millions of users. An attacker can trick innocent users and use this vulnerability for malicious task,” the researcher
wrote on Hacking Tricks.
The expert says that the vulnerabilities have been reported to AOL, but so far they haven’t responded to his notifications.
Previously, Deepanker Verma has identified security holes in websites such as
Pinterest, the Indian search engine
Guruji, and
Google Books.
Update. According to security researcher Suriya Prakash, AOL doesn't handle vulnerability reports too well.
He says that the company still hasn't addressed the XSS issues
he reported to them a few months ago.
Moreover, it turns out that a security hole similar to the one identified by Verma
was found by the TeamHav0k hacker group almost one year ago.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
