Security researcher Rahul Tyagi has reported the vulnerabilities to impacted companies

Jun 6, 2013 10:00 GMT  ·  By

Indian security researcher Rahul Tyagi, the author of Hacking Crux, has identified cross-site scripting (XSS) vulnerabilities on the websites of several major organizations.

He has sent out notifications to HP, Intel, Forbes, National Geographic, Spike TV, the IEEE Computer Society, Sony, Autodesk, Fujifilm, Dolby, TED Conferences, LLC, and HowStuffWorks, Inc.

The websites of these organizations have been found to contain reflected and some DOM-based XSS vulnerabilities.

Despite being notified over one week ago, and in some cases around three weeks ago, many of the affected companies have not replied to Tyagi’s messages.

However, some of them have replied. For instance, HP and Intel have confirmed receiving the reports, but they still haven’t addressed the issues.

Sony, Dolby and HowStuffWorks all fixed the security holes and thanked the researcher for his work.

“XSS, as we know, helps hacker to inject client-side malicious script into a website’s pages and can lead to many serious problems like reputation attack, like adult alerts, transferring to some inappropriate website. XSS vulnerability may be used by hackers to bypass access controls such as the similar source procedure,” the expert told Softpedia.

“Cross-site scripting vulnerabilities can grant malicious guests control over sites we are surrounded with in this virtual cyber world, and web applications in behavior that we may eventually not be able to manage properly or control,” he added.

“The problem is, via XSS, malicious attackers can insert their own malicious code into websites, web applications, available themes and plugins even in an effort to achieve and have power over of some feature – or all aspects – of the website vulnerable to Cross Site Scripting.”

So why don’t companies address such issues after being notified of their existence?

Tyagi says that most organizations are only concerned with protecting their websites against SQL Injection attacks, because these are the ones that can expose their customers’ information.

“Cross Site Scripting vulnerabilities can easily be seen in any website which has a text box, and the reason the vulnerability exists is due to the widespread availability of features from webmasters to interact with users’ input,” the researcher said.

He believes XSS vulnerabilities exist because developers mainly focus on simply making the site work, and they often neglect to make sure that input fields are properly validated.

Tyagi, as many other security experts, is unhappy with the fact that most organizations don’t provide communication channels for reporting bugs and vulnerabilities.

“The most I can find is ‘contact us’ and there, in the drop down list of issues, there’s no option dedicated to reporting technical issue, hence it’s clear from my side that either they think their website’s security is impossible to breach, or they forgot to add this in their website,” he noted.

“Being reputable organizations, they must have a ‘report bug’ section on their portal so that if someone finds any bugs, he/she can report them.”

Rahul Tyagi can be contacted on Facebook and Twitter.

Update. Intel has responded to the researcher's notification. The company is in the process of addressing the issue.

Photo Gallery (8 Images)

XSS in Autodesk website
XSS in Dolby websiteXSS in Fujifilm website
+5more