14 DAY TRIAL // Portuguese security researcher David Sopas has identified a DOM-based cross-site scripting vulnerability on Alexa.com, the world-renowned commercial web traffic data provider. The issue was reported to the company back in December 2012.
According to the expert, the security hole could have been exploited by cybercriminals to trick unsuspecting Internet users into visiting their phishing websites.
“This vulnerability was present at tags.js from a remote location and the variable ‘tagSrc’ lacked the proper sanitizing,” Sopas explained on his personal blog.
Fortunately, the flaw has been fixed by Alexa, but the expert says it took the company over three months to address it.
“It's strange that a company that's so big couldn't fix this type of vulnerability faster,” the researcher noted.
Previously, Sopas has identified similar vulnerabilities on an eBay website, on Booking.com, and on the sites of various security firms.