14 DAY TRIAL // Security researcher Jing Wang discovered two XSS vulnerabilities on the websites of the Daily Mail and The Telegraph, two famous UK online newspapers. Both vulnerabilities have now been fixed.
The first issue that Wang discovered affected The Telegraph's website, and more specifically, its image galleries.
Attackers, as Wang discovered, would have been able to execute JavaScript code by appending malicious code at the end of the image gallery URL, via the "frame" parameter, which, as in most cases with XSS attacks, was insufficiently sanitized.
The second XSS vulnerability he found was on the Daily Mail's website, via its "report comment abuse" page. As with the Telegraph issue, a parameter was left unsanitized, which allowed attackers to insert malicious code at the end of the URL.
Jing Wang reports that both XSS vulnerabilities were exploitable even if users were not logged in at the moment of the attacks.
A second, unconnected vulnerability was also found on the Daily Mail's user registration page. This page was plagued by an unauthorized redirection flaw that allowed attackers to craft malicious Daily Mail URLs that eventually redirected users to other pages, which could have been used to host adware, scareware, or even serve more dangerous malware.
Wang reports that the Daily Mail staff fixed the XSS bug, but the redirection issue is still present.
Proof-of-concept videos for all bugs are embedded below.
