Popular Weather Channel web site (Weather.com) has been found to be vulnerable to a reflected Cross-Site Scripting flaw, according to security researcher Wang Jing’s research. The vulnerability lies in that Weather.com does not filter malicious script codes when constructing HTML tags with its URLs. This way, an attacker just adds a malicious script at the end of the URL and executes it.
“If The Weather Channel’s users were exploited, their Identity may be stolen,” Jing said via email. “At the same time, attackers may use the vulnerability to spy users’ habits, access sensitive information, alter browser functionality, perform denial of service attacks, etc.”
Wang Jing is a Ph.D student from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. He found that at list 76.3% of Weather Channel website links were vulnerable to XSS attacks. Attackers just need to add scripts at end of Weather Channel’s URLs. Then the scripts will be executed.
Related News:
http://www.computerworld.com/article/2852502/weathercom-fixes-web-app-flaws.html
http://seclists.org/fulldisclosure/2014/Nov/89
http://packetstormsecurity.com/files/129288/weatherchannel-xss.txt
http://webcabinet.tumblr.com/post/116076287997/whitehatview-the-weather-channel-fixes-web-app
http://www.securitylab.ru/news/462524.php
http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8
http://www.tetraph.com/blog/it-news/weather-channel-xss/
https://www.facebook.com/websecuritiesnews/posts/699866823466824
https://itswift.wordpress.com/2014/12/01/76-3-weather-channel-xss-attacks/
https://www.secnews.gr/weather-channel-xss