SEOUL, KOREA - Reflected (or non-persistent) cross-site scripting (XSS) vulnerabilities have been detected on the websites of LG Electronics, LG ELIT (the website of The LG Sangnam Library) and LG Science Land (run by the LG Sangnam Library). XSS, a malicious code injection attack, could cause the victim’s browser to execute the injected malicious script through the browser’s search function.
The Open Web Application Security Project (OWASP), a non-profit charitable organization dedicated to improving the security of software, has named reflected XSS, a type of computer security vulnerability typically found in Web applications, as one of the three most common Web security threats. The Ministry of Security and Public Administration (MOSPA) of South Korea has already suggested preventive measures against XSS attacks in its 2012 cyber security guidelines. However, LG, one of the nation’s largest conglomerates, stopped short of observing the guidelines.
In a cross-site scripting (XSS) attack, a malicious script is inserted into the website’s search box or address bar. XSS enables the attacker to inject arbitrary web script or HTML into various websites via the kwd parameter and then to trick users into clicking on the malicious link. Thus, the malicious code could be distributed and spread as widely as possible.
To top it off, XSS attacks could lead to large-scale security breaches, such as the leak of sensitive personal data (including financial information) and keylogging, depending on the purpose of the malicious codes.
Microsoft’s Internet Explorer 6 and 7 and all the versions of Firefox are vulnerable to XSS attacks. Users of Internet Explorer 8 or higher should enable the Internet Explorer 8 XSS filter so as to foil XSS attacks.
Website operators should either show search results after deleting “<” , “>” or choose not to show any search result when they spot “<”, “>,” Lockdown, a white hacker group, advised. XSS-vulnerable websites should also inform their visitors of the fact that they fell victim to XSS attacks and should stay on high alert to prevent secondary damage, Lockdown added.
The XSS-vulnerable websites of LG Electronics, LG ELIT and LG Science Land are high- traffic, so myriads of users could fall prey to XSS attacks if the status quo in Web security persisted.
