14 DAY TRIAL // About ten days ago Sophos Senior Technology Consultant Graham Cluley published an interesting post about an advertisement on an official website of the world renowned automobile manufacturer Volkswagen.
The ad said “Unbelievable value (This site has not been hacked)” next to the picture and price of a Volkswagen Polo.
“Clearly, the general public's awareness of website hacking has reached incredible levels if it's now being used as a joke by advertisers,” Cluley wrote at the time.
Of course, the ad raised the curiosity of security experts and hackers, one of them being security researcher Shadab Siddiqui.
He analyzed the site and within a few minutes he determined that it was full of cross-site scripting (XSS) security holes, that could be easily exploited by hackers.
“XSS is underestimated by many people, but what most don’t know is that XSS is the same thing which Anonymous used to gain access to email and then leak that conference call between FBI and Scotland Yard,” Siddiqui revealed.
“So it’s just not a small bug. As I said on previous occasions, depending upon the person using it, it’s more crucial. The pen is mightier than the sword if in writer’s hands and, if it’s in the wrong hands, a sword is also of no use.”
The expert explained that more than 40 webpages of the Volkswagen site are affected by XSS vulnerabilities. Also, a lot of “improper coding and lack of sanitization” is present.
“A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack,” he explained.
“This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force the victim to make a HTTP request to steal the cookie.”
He revealed that at least 15-20 SQL Injection vulnerabilities were also present on the site. The lack of proper filtering and sanitization makes the site an easy target for any hacker with a malicious agenda.
“If these companies would hire a pentester/security expert they could have the site fixed quickly to make sure that hackers don't change the prices. ;) And if they make such an advertisement then no one can make a fun of them like I could do, but didn’t :P” he concluded.
Volkswagen representatives (the ones that administrate the site in question) have been contacted regarding these issues right after the Naked Security article was published, but so far they haven’t responded.
Update. The article has been slightly modified because the SQL Injection vulnerabilities that could have presented a serious risk to the site's database cannot be exploited.
