14 DAY TRIAL // The websites of several major media organizations have been targeted by hackers over the past period. However, experts say the companies haven’t learned from past incidents and have failed to secure their websites.
Ilia Kolochenko, CEO of High-Tech Bridge, has told Infosecurity Magazine that the websites of publications such as The Washington Post, The New York Times, Bloomberg, The Times, The Guardian, The Telegraph, Forbes, Wall Street Journal, The Independent, and the Financial Times contain vulnerabilities.
The company identified most of the security holes in July and immediately notified the impacted media organizations. However, their response, or lack of response, shows that they haven’t learned much from past mistakes.
Only the Financial Times acknowledged the existence of the vulnerability and attempted to deploy a patch. However, the patch isn’t effective in stopping hackers.
The Wall Street Journal has also confirmed the existence of the flaw reported by Kolochenko’s company, but the security hole still hasn’t been fixed.
The other organizations haven’t responded at all.
“A hacker could modify arbitrary content on a website page, and post fake news or just ‘deface’ the webpage. He could steal users’ cookies and sessions. The vulnerability could be used to perform various types of phishing and scam attacks, or set up the site for drive-by attacks to infect visitors,” Kolochenko told Infosecurity.
High-Tech Bridge has developed an online, automated penetration testing service designed especially for small and medium enterprises. However, in order to demonstrate the security holes in the websites of the media organizations, he didn’t use the service because it performs deep penetration testing that requires approval from the targeted site’s owner.
So instead, he demonstrated his findings with a simple Google search, each of the security holes being discovered in around 15 minutes.