XSS Vulnerability Found in WikiLeaks’ Internal Search Engine


[youtube:http://www.youtube.com/watch?feature=player_embedded&v=7a5H2kdoqFY%5D

Earlier this week, WikiLeaks added an internal search engine to its website to allow users to find documents based on certain keywords. Almost immediately, security researchers noticed that the input wasn’t properly sanitized.

Security expert Mazin Ahmed has published a video on YouTube to demonstrate the existence of the cross-site scripting (XSS) vulnerability. He reported it to WikiLeaks, which addressed the flaw within hours.

WikiLeaks hasn’t said anything to Ahmed. However, since the vulnerability was not difficult to find, it’s possible that a number of researchers reported it to the whistleblowing website.

Generally, such flaws are not critical, but they can be abused by cybercriminals, especially if they’re combined with other bugs.

Check out the proof-of-concept video published by Mazin Ahmed.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s