Vodafone Websites Riddled with XSS and SQL Injection Vulnerabilities

Nine different Vodafone websites are vulnerable to cross-site scripting (XSS) vulnerabilities, while the UK one is affected by a more dangerous SQL injection flaw.

XSS weaknesses were found on Vodafone.com, Vodafone.com.au, Vodafone.de, Vodafone.es, Vodafone.it , Vodafone.gr , Vodafone.ie , Vodafone.ro, Vodafone.com.tr and Vodafone.in by a Romanian security enthusiast, who goes by the nickname of d3v1l.

D3v1l, who's track record includes XSS flaws found in numerous high profile websites like PayPal, Visa, US Bank, VeriSign, Mashable, Twitter, Tweetmeme or Symantec, has published details of the Vodafone vulnerabilities on his blog.

Cross-site scripting attacks can be of multiple types, with "persistent" ones being most dangerous, because they result in permanent changes made to pages.

The XSS bugs discovered by d3v1l on the Vodafone websites are of the "reflected" kind, which means that attackers can only exploit them by tricking users into visiting specially crafted URLs.

Nevertheless, these weaknesses can still be leveraged to enhance phishing and other attacks. Back in November 2009, malware pushers distributed a banking trojan to Vodafone UK customers, as an account balance checking tool.

In that case the file was attached to emails, but it could have just as easily be hosted on a malicious page, to which users would get redirected after clicking on one of those Vodafone XSS URLs.

And since we're talking about Vodafone UK, we should point out that its website is also vulnerable to SQL injection, according to d3v1l.

SQL injection is much more serious than XSS, as it gives attackers access to the underlying database, which can contain sensitive data. In some situations, it can also lead to complete server compromise if combined with other techniques.

It's worth noting that this type of vulnerability is commonly exploited in mass attacks that inject malicious code into legitimate websites; the kind of attack Vodafone UK is no stranger to.

Earlier this summer, anti-malware experts from AVAST Software, found exploits being served from compromised vodafone.co.uk pages, that were trying to infect visitors with malware.