Earlier this week, WikiLeaks added an internal search engine to its website to allow users to find documents based on certain keywords. Almost immediately, security researchers noticed that the input wasn’t properly sanitized.
Security expert Mazin Ahmed has published a video on YouTube to demonstrate the existence of the cross-site scripting (XSS) vulnerability. He reported it to WikiLeaks, which addressed the flaw within hours.
WikiLeaks hasn’t said anything to Ahmed. However, since the vulnerability was not difficult to find, it’s possible that a number of researchers reported it to the whistleblowing website.
Generally, such flaws are not critical, but they can be abused by cybercriminals, especially if they’re combined with other bugs.
Check out the proof-of-concept video published by Mazin Ahmed.