Menu
Weather.com fixes web application vulnerabilities

Weather.com fixes web application vulnerabilities

More than 75 percent of pages on the site were vulnerable to cross-site scripting

The Weather Channel has fixed a common web application security problem on its website that made nearly all links vulnerable to cross-site scripting attacks.

Wang Jin, a doctoral student at the School of Physical and Mathematical Sciences at Nanyang Technological University in Singapore, found more than 75 percent of the web pages on Weather.com were vulnerable.

"Attackers just need to add script at the end of The Weather Channel's URLs," Wang wrote. "Then the scripts will be executed."

Wang posted his findings on the Full Disclosure forum, writing that the issues have been fixed. He wrote that he tested tens of thousands of links on Weather.com using a custom tool and posted a video illustrating an attack.

Cross-site scripting was the third-most common type of vulnerability in web applications last year, according to the Open Web Application Security Project. An XSS flaw occurs when an application accepts untrusted data, sending it to a web browser without validating it.

"XSS allows attackers to execute scripts in the victims browser which can hijack user sessions, deface web sites or redirect the user to malicious sites," according to OWASP.

The attack worked without a user being logged in, Wang wrote. He tested the attack using Firefox version 26 in Ubuntu version 12.04 and with Internet Explorer version 9.0.15 on Windows 7.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Exploits / vulnerabilitiesThe Weather Channel

Events

Why experience is the new battleground for partners

Join us for an exclusive webinar, in association with Hewlett Packard Enterprise and Technology Services Industry Association (TSIA) and learn about the latest industry insights and how technology services continue to evolve to deliver differentiated value, and how partners can be successful in 2021 and beyond.

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments