Exclusive: Widespread security flaw affects hundreds of UK news sites
A security flaw has been discovered in a number of UK news websites, potentially placing 24.5 million users at risk. The problem was found in websites run by Johnston Press, a UK media group that is responsible for scores of regional news websites.
Just a few days ago we reported about the findings of security researcher Brute Logic. He discovered an XSS vulnerability on Amazon that risked exposing user data and could be used to compromise accounts. Now the same researcher has discovered another cross-site scripting security flaw that could be used to redirect visitors to malicious websites -- and it's worryingly simple to exploit.
Brute Logic found that sites such as Worthing Herald can be easily commandeered. He demonstrated the vulnerability by using a custom URL to generate a popup on Johnston Press websites and explained that the very same technique could be used to redirect visitors to a phishing website. He points out that this type of attack is not detected by the Auditor feature of Google Chrome which is supposed to offer protection against XSS vulnerabilities.
In all, the problem affects hundreds of websites -- both desktop sites and mobile versions -- all seemingly sharing the same IP address. Brute Logic submitted details of the vulnerability to XSSposed, where he remains the top researcher, giving the following description:
The vulnerability is still unpatched putting worthingherald.co.uk users, visitors and administrators at risk of being compromised by malicious hackers. Theft of cookies, personal data, authentication credentials and browser history are probably the less dangerous consequences of XSS attacks.
XSS attacks are becoming more and more sophisticated these days and are being used in pair with spear phishing, social engineering and drive-by attacks.
Brute Logic points out that while it is common for people to worry about high profile websites such as Amazon having vulnerabilities, it's easy to forget about the smaller fish. But as the size of the Johnston Press audience demonstrates, even a security issue with a smaller site has the potential to have a huge impact:
The danger is greater because these companies are less security aware and attacks will be very targeted.
We have reached out to Johnston Press for comment, but at the time of writing we have yet to hear back with a response.