A Singapore-based doctoral student discovered a flaw in The Weather Channel’s website that left more than 75 percent of its pages vulnerable to cross-site scripting attacks.
Attackers only needed to add script to the end of The Weather Channel’s URLs, or the domain weather.com, to take advantage of the flaw, Wang Jing wrote in his detailing of the vulnerability. Jing said the site used URLS to create its tags without filtering malicious script codes, which left them vulnerable to attack.
To explore this issue, Jing tested 10,000 links through a self-written tool. The vulnerability could be exploited without user login credentials and worked in Firefox (26.0), Ubunto (12.04) and Internet Explorer (9.0.15) in Windows 7. A video of the vulnerability was also included in Jing’s write-up.
This issue was patched in November, Jing wrote.