Weather Channel forecast: Bleak, with prolonged XSS
A billion visitors exposed to scripting storm
The Weather Channel has dammed a downpour of cross-site-scripting vulnerabilities that soaked three quarters of links on the popular site, security bod Wang Jin says.
Wang Jin, a doctoral student at Nanyang Technological University, reported the poor conditions to the site administrators who closed the basic holes affecting tens of thousands of links late November.
Jin said attackers could have whipped up a scripting storm against visitors.
"Almost all links under the domain weather.com are (were) vulnerable to XSS attacks," Jin said in an advisory.
"Attackers just need to add script at the end of The Weather Channel's URLs [and] then the scripts will be executed.
"The reason of (sic) this vulnerability is that Weather Channel uses URLs to construct its tags without filtering malicious script codes."
Jin said 76.3 percent of links were found vulnerable using his homebrew security tool.