14 DAY TRIAL // Matthias Ungethüm, a security expert from Germany, has managed to find a couple of vulnerabilities on the official website of the United States National Security Agency.
The expert has told German broadcaster MDR that he first found a cross-site scripting (XSS) vulnerability on the NSA website’s homepage. The flaw enabled him to alter the website’s appearance.
To demonstrate how the issue can be exploited, he replaced one of the banners on the site with one that read “Examine your homepage” in German.
XSS vulnerabilities can be exploited by cybercriminals for phishing and to lure users to malicious or spam websites. However, the type of XSS found by Ungethüm can’t be leveraged to permanently change the website’s appearance.
The changed version of the website is only seen by users who click on a link provided by the attacker.
While the XSS vulnerability is not critical, the expert also claims to have identified an SQL Injection flaw on the NSA’s website. SQL Injection vulnerabilities are usually more serious because they can be leveraged to gain access to information stored in a website’s databases.
Ungethüm has told MDR that he hasn’t exploited the SQL Injection bug for legal reasons.
The expert reported the security holes to the intelligence agency one week before making his findings public. He didn’t get any response. However, shortly after the existence of the vulnerabilities was revealed, the NSA addressed them.