Cross-Site Scripting (XSS) Vulnerability in New York Times' Articles Before 2013

New York Times articles` pages from the nytimes[dot]com domain, dated before 2013 suffer from an XSS cross-site scripting vulnerability, according to the report posted by security researcher Wang Jing on the Tetraph Blog.

Cross-site scripting (XSS) vulnerabilities usually reside in web applications and can be used by attackers to modify the normal flow of the web page.

“For XSS attacks, one important thing is to persuade victims to click the URLs sent to them. For my findings, attackers can just attach the attacking code behind almost all articles published by New York Times before 2013,” Wang Jing said via email. “This makes the victims more vulnerable to attacks.”

The researcher also published a video of the Proof-of-Concept in which he proves the existence of the XSS flaw.

In New York Times’ case the vulnerability occurs in its URLs due to their failure to filter content that is used for the construction on pages before 2013.

All pages before 2013 that contain buttons such as “PRINT”,”SINGLE PAGE”, “Page” and “NEXT PAGE” are affected by the XSS vulnerability.

The exploitability timeframe is determined by the fact that, according to the researcher, New York Times has now a much safer mechanism, implemented sometime in 2013, that sanitizes all URLs sent to its server.

So how important is this if the articles were posted before 2013?

All links are still indexed in search engines such as Google and some of those links can be sometimes used to make a past reference on a current subject.

This means that those pages can still get significant traffic which could make them valuable to an attacker, if the respective article is linked along with the bad code in, say, a forum or bulletin board.

Now how ugly can things get if an XSS vulnerability is exploited?

That’s easy, a cybercriminal can easily perform Session Hijacking, Phishing (as Wang Jing suggested above), or even steal cookies, URL redirect, mine for victim’s browser details and eventually launch browser exploits.

XSS vulnerabilities can be exploited and leaving the theory aside, so far we have seen Mozilla, eBay, Yahoo or TweetDeck having issues with this kind of flaw, the last three of them experiencing attacks that were exploiting cross-site scripting (XSS) vulnerabilities.