World Economic Forum’s Website Plagued by XSS and Other Security Issues


XSS vulnerability on WEF website

Security researchers from High-Tech Bridge have identified a number of security issues on the official website of the World Economic Forum (WEF), the organization whose members are meeting these days in Davos, Switzerland.

Initially, experts found a cross-site scripting (XSS) vulnerability on a subdomain. Later, they identified a couple of other XSS flaws on the main website, weforum.org.

High-Tech Bridge immediately sent the organization a security report via email. Although they expected a quick response, no one responded to the experts’ notifications for a period of five days.

While searching for additional contact information, researchers came across a flaw on the WEF website that exposed the email addresses of all those who had contacted the organization via its “contact company representative” form.

Experts say that several thousand email addresses could have been obtained by spammers due to a hidden parameter used to transmit email addresses.

On top of that, the SSL certificate on the WEF site was invalid, exposing user information to traffic sniffing.

One day after High-Tech Bridge published its report on the vulnerabilities, WEF representatives contacted the security firm to clarify that the issues had been fixed.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s