Industry News

Weather Channel Web Site Vulnerable to Reflected Cross-Site Scripting (XSS)

Popular Weather Channel web site (Weather.com) has been found to be vulnerable to a reflected Cross-Site Scripting flaw, according to researcher Wang Jing’s research.

The Weather Channel is the most common US-based cable and satellite TV channel with close to 100 million subscribers. Its Alexa global rank is 143 and US rank is 35.

Forensics Recover Cloud Data from Smartphones

“If The Weather Channel’s users were exploited, their Identity may be stolen,” Jing said via email. “At the same time, attackers may use the vulnerability to spy users’ habits, access sensitive information, alter browser functionality, perform denial of service attacks, etc.”

Weather.com’s monthly traffic may exceed 50-60 million visitors, which makes it a high-profile target.

During his research, Jing also noticed that 76.3 per cent of the 10,000 Weather.com tested links were vulnerable to XSS attacks.

The vulnerability lies in that Weather.com does not filter malicious script codes when constructing HTML tags with its URLs.

This way, an attacker just adds a malicious script at the end of the URL and executes it.

“Since almost all links of The Weather Channel can be used for the attacks, attackers can target different users based on different links, the success rate of attacks might be high,” Jing concluded.

A proof of concept video has also been released on YouTube.

About the author

Lucian Ciolacu

Still the youngest Bitdefender News writer, Lucian is constantly after flash news in the security industry, especially when something is vulnerable or exploited. Besides digging for 'hacker' scoops and data leaks, he enjoys sports, such as football and tennis.
He has also combined an interest for social and political sciences, as a graduate of the Political Science Faculty, with a passion for guitar and computer games.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.