Huffington Post UK XSS Flaw (Disclosed & Fixed)
The UK version of the Huffington Post was vulnerable to an XSS flaw. This allowed any malicious user to inject images, video, text, and JavaScript into the page.
Although the above image show a very silly use of XSS, it could quite easily be used to craft a page to encourage journalists and readers to enter their passwords - and then send them off to criminals.
What's unusual is that it appears to be powered by Google Custom Search - which should really be robust against this source of attack.
I strongly encourage people to read and understand the OWASP Guide to XSS - and their other fine guides.
It will save a lot of heartache later on.
Timeline
- 20th February 2014 - Disclosed via their "technical problems with the website" form.
- 21st February 2014 - No response, so escalated to the Executive Editor.
- 26th February 2014 - Confirmed fixed.