14 DAY TRIAL // The official website of the Forbes 100 company Honeywell (honeywell.com) was found to contain a number of vulnerabilities, including cross-site scripting (XSS), an Iframe injection, and an image uploading flaw.
The security holes were identified by independent security researcher Shadab Siddiqui which lately amazed the community by finding weaknesses in sites such as redhat.com, pinterest.com, alshaya.com and the popular Indian search engine Guruji.
Honeywell is a company that makes billions in revenue each year with technologies designed to address the challenges of safety, security and energy, but it turns out that they have been neglecting to keep their public website patched up.
“Using Iframe Injection, an attacker can inject advertisements inside any other websites, insert malware infected site links, redirect to malware infected sites and more. Malware Attackers use this IFrame and include the malware websites,” Siddiqui told us.
“They are able to include the webpage one pixel square(You won't able to see it in webpage). Obfuscate the JavaScript that will run automatically from that included page so that it looks something like '6C framebo' - leaving no obvious clue that it's malicious.”
He also pointed out the fact that an attacker could rely on the XSS vulnerabilities to perform clickjacking.
“Clickjacking is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages,” he explained.
“A vulnerability across a variety of browsers and platforms, a clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.”
A final security hole identified in Honeywell’s site is a URL redirect which can be utilized by a hacker for cookie hijacking.
Honeywell has been informed of the vulnerabilities, but we have experienced difficulties in communicating with their representatives. This post will be updated as soon as new information is made available.
