Security researcher David Sopas has identified a couple of document object model (DOM) based cross-site scripting (XSS) vulnerabilities on the website of world-renowned booking service Booking.com.
“On January I started receiving some phishing emails using Booking.com as bait to spread malware. If these malicious users had the right tools - like for example a XSS vulnerability - they could infect more users. That would not be good,” the expert explained on
his blog.
After analyzing the site, he was able to identify DOM-Based XSS vulnerabilities on the iPhone app page and the site’s Frequently Asked Questions section.
“Both vulnerabilities we're explored due to the lack of escaping the location.hash and using an older version of jQuery. That way it was possible for user to inject code into a victims browser DOM,” Sopas said.
Fortunately, Booking.com managed to address both issues within a couple of hours after being notified. The company says it's constantly working on improving the security of the website.
For those not familiar with David Sopas’ work, he has previously identified security holes on the sites of
several security firms and on one of
eBay’s websites.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
