14 DAY TRIAL // Pakistani security researcher Rafay Baloch has identified several security holes on various websites operated by Nokia. The company has addressed the vulnerabilities and has rewarded the expert’s work with a Nokia Lumia 820 smartphone.
The security holes identified by the researcher include an iFrame injection and a couple of cross-site scripting (XSS) issues on the PrimePlaces subdomain (primeplace.nokia.com).
The same subdomain was also plagued by a cross-site framing vulnerability and a clickjacking flaw caused by the lack of an X-Frame-Options response header.
The expert has also found some security issues on the Nokia Developer website (developer.nokia.com).
“I found a CSRF vulnerability. By using this vulnerability I can change any users email address and other details. Possible tokens are missing. Furthermore, I found a clickjacking vulnerability as X-frame-options are missing,” Rafay Baloch explained.
In addition to these flaws, he has also discovered the fact that on the developer subdomain, passwords were transmitted over http, instead of https.
Currently, Nokia doesn't have a bug bounty program. However, based on the vulnerability and the service that's affected, researchers might get other rewards besides being listed in the hall of fame.
If you're interested in learning how the company handles security and privacy, check out the Nokia Security page.
