Weather Channel forecast: Bleak, with prolonged XSS

A billion visitors exposed to scripting storm

The Weather Channel has dammed a downpour of cross-site-scripting vulnerabilities that soaked three quarters of links on the popular site, security bod Wang Jin says.

The website received a tsunami of traffic with more than a billion unique visitors checking in each month according to Drupal which noted it was the "highest trafficked Drupal site in existence".

Wang Jin, a doctoral student at Nanyang Technological University, reported the poor conditions to the site administrators who closed the basic holes affecting tens of thousands of links late November.

Jin said attackers could have whipped up a scripting storm against visitors.

"Almost all links under the domain weather.com are (were) vulnerable to XSS attacks," Jin said in an advisory.

"Attackers just need to add script at the end of The Weather Channel's URLs [and] then the scripts will be executed.

"The reason of (sic) this vulnerability is that Weather Channel uses URLs to construct its tags without filtering malicious script codes."

Jin said 76.3 percent of links were found vulnerable using his homebrew security tool.

Cross-site scripting flaws allow scripts to be injected into web applications where validation is lax. It was the third most common web app flaw and a mainstay of the OWASP Top Ten. ®


Biting the hand that feeds IT © 1998–2017