14 DAY TRIAL // Experts from Secfence Technologies reveal that NASA has been working on patching some of the vulnerabilities present on its websites, but there are still a few on which the ever-present cross-site scripting (XSS) flaw can still be found.
Since its last report, when it admitted that there’s a lot of work to be done in the security sector, NASA has been working on securing its numerous public facing websites, but there’s still a lot to be done.
Security researchers from Secfence provided a couple of examples.
First, the PDS domain, the one that hosts The Planetary Data System, has been named as containing an XSS weakness that could be easily leveraged by ill-intended hackers.
“Once identified, malicious users can use this to perform various JavaScript- based attacks,” Prashant Uniyal, information security analyst at Secfence told us.
Many may be wondering why the screenshot provided by the experts actually displays the eBay site. That’s because the XSS vulnerability can allow cybercriminals to change the site’s appearance in any way they desire.
By convincing their potential victims to click on a cleverly designed link, the cybercrooks can replace the regular content with anything from malware serving sites to webpages that host phishing forms.
Imagine if instead of the eBay site, there would be a page that displays a form which requests the user to enter his/her passwords and other sensitive information.
Because of the URL displayed in the browser’s address bar, the victim believes that he/she is actually on the legitimate NASA site.
The second domain appointed as being vulnerable is the one of the Goddard Space Flight Center. In this scenario, the white portion of the webpage seen in the screenshot could also be altered to display arbitrary content. For the plot to be successful, some social engineering is required, but as we’ve seen on previous occasions, this is not a great impediment.
By making these flaws public, the experts hope to raise awareness and get NASA to rush the patching process.
