Security researchers from High-Tech Bridge have identified a number of security issues on the official website of the World Economic Forum (WEF), the organization whose members are meeting these days in Davos, Switzerland.
Initially, experts found a cross-site scripting (XSS) vulnerability on a subdomain. Later, they identified a couple of other XSS flaws on the main website, weforum.org.
High-Tech Bridge immediately sent the organization a security report via email. Although they expected a quick response, no one responded to the experts’ notifications for a period of five days.
While searching for additional contact information, researchers came across a flaw on the WEF website that exposed the email addresses of all those who had contacted the organization via its “contact company representative” form.
Experts say that several thousand email addresses could have been obtained by spammers due to a hidden parameter used to transmit email addresses.
On top of that, the SSL certificate on the WEF site was invalid, exposing user information to traffic sniffing.
One day after High-Tech Bridge published its report on the vulnerabilities, WEF representatives contacted the security firm to clarify that the issues had been fixed.