ESPN Are Suffering Serious XSS and Dest Redirect Privilege Escalation Security Vulnerabilities
Popular ESPN website (espn.go.com) has been found to be vulnerable to multiple serious XSS and Dest Redirect Privilege Escalation security vulnerabilities according to Wang Jing, a mathematics student from the School of Physical and Mathematical Sciences at Nanyang Technological University in Singapore.
Wang found a large number of ESPN’s credible links were vulnerable to XSS and Dest Redirect Privilege Escalation attacks. These vulnerabilities occur at ESPN’s “login” & “register” pages.
ESPN is one of the most common U.S.-based cable and satellite TV channel with close to 100 million subscribers. Its Alexa global rank is 63 and US rank is 14. Based on eBizMBA, “As of December 1, 2014, ESPN has an estimated 80,000,000 unique monthly visitors.” At the same time, ESPN broadcasts in more than 200 countries.
Wang posted his findings on the Full Disclosure forum. He wrote that he had reported the issues to ESPN in early May 2014 but the vulnerabilities are still unpatched. According to Wang, “Those vulnerabilities are very dangerous. Since they happen at ESPN’s “login” & “register” pages that are credible. Attackers can abuse those links to mislead ESPN’s users. The success rate of attacks may be high.“ Proof of concept videos have also been released on YouTube to illustrate an attack.
According to OWASP, “XSS allows attackers to execute scripts in the victims browser which can hijack user sessions, deface websites or redirect the user to malicious sites.” While Dest Redirect Privilege Escalation “is used in phishing attacks to get users to visit malicious sites without realizing it.” If ESPN’s users were exploited, attackers can get their identity. Those attacks can also be used to steal password, perform denial of service attacks, spy users’ habits, alter browser functionality, access sensitive information and so on.
Wang wrote his tests were using Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 8. And the attack could work without a user being logged in.