New York Times Articles Before 2013 May Vulnerable to XSS Attack

Information pinned on noticeboard

New York Times articles’ pages dated before 2013 may suffer from an XSS (Cross-site Scripting) vulnerability, according to the report posted by security researcher Wang Jing. Wang is a mathematics Ph.D student from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. He published his discovery in well-known security mail list Full Disclosure.


According to Wang, all pages before 2013 that contain buttons such as “PRINT”,”SINGLE PAGE”, “Page” and “NEXT PAGE” are affected by the XSS vulnerability. Meanwhile, the researcher also published a proof of concept video to prove the existence of the XSS flaw.


As of yet, there are no known cases of criminals exploiting the Times’ XSS issue in order to attack users. However, according to Wang, the threat is possible, and the New York Times has a big enough audience that an XSS attack, even via its older articles, could still affect a broad number of users. The affected New York Times articles are still indexed in Google search engines, and are still frequently hyperlinked in other articles.


However according to the researcher, New York Times has now a much safer mechanism, implemented sometime in 2013, that sanitizes all URLs sent to its server.


Cross-site scripting (XSS) vulnerabilities usually reside in web applications and can be used by attackers to modify the normal flow of the web page. A cybercriminal can use it easily to perform URL redirect, mine for victim’s browser details, session hijacking, phishing, or even steal cookies.


XSS issues are not entirely uncommon. So far we have seen that Google, Amazon, Microsoft, Yahoo and Facebook all had this kind issue reported.


Related News:



Google DoubleClicK System Bugs Could Be Used by Spammers



Google (Advertising) System URL Redirection Vulnerabilities Could Be Used by Spammers


Although Google does not include Open Redirect vulnerabilities in its bug bounty program, its preventive measures against Open Redirect attacks have been quite thorough and effective to date.


However, Google might have overlooked the security of its ​advertising system. After some test, it is found that most of the redirection URLs within are vulnerable to Open Redirect vulnerabilities. Many redirection are likely to be affected. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.


These redirections can be easily used by spammers, too.


Some URLs belong to are vulnerable to Open Redirect attacks, too. While Google prevents similar URL redirections other than Attackers can use URLs related to Google Account to make the attacks more powerful.


Moreover, these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Yahoo, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security security bug problems have not been patched. Other similar web and computer attacks will be published in the near future.



Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)




(1) Background Related to Google

(1.1) What is

DoubleClick is a subsidiary of Google which develops and provides Internet ad serving services. Its clients include agencies, marketers (Universal McCann, AKQA etc.) and publishers who serve customers like Microsoft, General Motors, Coca-Cola, Motorola, L’Oréal, Palm, Inc., Apple Inc., Visa USA, Nike, Carlsberg among others. DoubleClick’s headquarters is in New York City, United States.


DoubleClick was founded in 1996 by Kevin O’Connor and Dwight Merriman. It was formerly listed as “DCLK" on the NASDAQ, and was purchased by private equity firms Hellman & Friedman and JMI Equity in July 2005. In March 2008, Google acquired DoubleClick for US$3.1 billion. Unlike many other dot-com companies, it survived the dot-com bubble and focuses on uploading ads and reporting their performance." (Wikipedia)


(1.2) Reports Related to Google Used by Spammers


Google has been used by spammers for long time. The following is a report in 2008.


“The open redirect had become popular with spammers trying to lure users into clicking their links, as they could be made to look like safe URLs within Google’s domain."



Mitechmate published a blog related to spams in 2014. is recognized as a perilous adware application that causes unwanted redirections when surfing on the certain webpages. Actually it is another browser hijacker that aims to distribute frauds to make money.Commonly people pick up Ad.doubleclick virus when download softwares, browse porn site or read spam email attachments. It enters into computer sneakily after using computer is not just annoying, this malware traces users’ personal information, which would be utilized for cyber criminal."



Malwarebytes posted a news related to malvertising in 2014.



(2) System URL Redirection Vulnerabilities Details.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0. (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.


Used webpages for the following tests. The webpage address is ““. We can suppose that this webpage is malicious.



(2.1) Vulnerable URLs Related to


Some URLs belong to are vulnerable to Open Redirect attacks. While Google prevents similar URL redirection other than


Vulnerable URLs:




Attackers can make use of the following URLs to make the attacks more powerful, i.e.






While Google prevents similar URL redirection other than , e.g.




(2.2) Vulnerable URLs Related to

Vulnerable URLs 1:




Vulnerable URLs 2:




Vulnerable URLs 3:





We can see that Google has Open Redirect vulnerabilities and could be misused by spammers.






Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Google has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.




(3) Google Can Adversely Affect Other Websites.

At the same time, Google can be used to do “Covert Redirect" to other websites, such as Google, eBay, The New York Times, etc.(Bypass other websites’ Open Redirect filters)



(3.1) Google Covert Redirect Vulnerability Based on



“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results. Google was founded by Larry Page and Sergey Brin while they were Ph.D. students at Stanford University. Together they own about 14 percent of its shares but control 56 percent of the stockholder voting power through supervoting stock. They incorporated Google as a privately held company on September 4, 1998. An initial public offering followed on August 19, 2004. Its mission statement from the outset was “to organize the world’s information and make it universally accessible and useful," and its unofficial slogan was “Don’t be evil". In 2004, Google moved to its new headquarters in Mountain View, California, nicknamed the Googleplex. The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy." (Wikipedia)


Vulnerable URL:




More Details:



(3.2) eBay Covert Redirect Vulnerability Based on



“eBay Inc. (stylized as ebay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries. The company manages, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now" shopping; shopping by UPC, ISBN, or other kind of SKU (via; online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services. It is not a free website, but charges users an invoice fee when sellers have sold or listed any items." (Wikipedia)


Vulnerable URL:




More Details:



(3.3) The New York Times ( Covert Redirect Vulnerability Based on Google



“The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 114 Pulitzer Prizes, more than any other news organization. The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady", The New York Times is long regarded within the industry as a national “newspaper of record". It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times." (Wikipedia)


Vulnerable URL:




More Details:


These vulnerabilities were reported to Google earlier in 2014. But it seems that Google has yet taken any actions. All of the vulnerabilities are still not patched.





Related Posts:



XSS κίνδυνοι εντοπίστηκαν σε συνδέσμους στο New York Times σε άρθρα πριν το 2013

Οι διευθύνσεις URL σε άρθρα στους New York Times (NYT) που δημοσιεύτηκαν πριν από το 2013 έχουν βρεθεί να είναι ευάλωτες σε XSS (cross-site scripting) επίθεση, ικανή να μεταφέρει κώδικα που θα εκτελείται στο πρόγραμμα περιήγησης.




Ένας φοιτητής από τη Σιγκαπούρη με το όνομα Wang Jing ανέφερε την Πέμπτη την ευπάθεια XSS που επηρεάζει τους αναγνώστες της online εφημερίδας. Δημιούργησε επίσης ένα βίντεο που αποδεικνύει την επίθεση στις σελίδες διαφόρων παλαιών άρθρων στο NYT.


Μια ευπάθεια XSS πηγάζει από την επικύρωση ανεπαρκών εισροών χρήστη και επιτρέπει σε μια απειλή να χρησιμοποιήσει κακόβουλο κώδικα σε αυτούς που κάνουν κλικ στον σύνδεσμο. Βασικά, κακή JavaScript προστίθεται μετά από ένα διπλό απόσπασμα σε μια νόμιμη σύνδεση και στη συνέχεια εκτελέστηκαν.


Ο δυνητικός κίνδυνος είναι προφανής, δεδομένου ότι ο εισβολέας θα μπορούσε να επισκιάσει συνεδρίες του προγράμματος περιήγησης, να κλέψει τα cookies ή να κατευθύνει τον χρήστη σε ιστοσελίδες phishing.


Ο ερευνητής δήλωσε ότι δοκίμασε την επίθεση σε Firefox (26.0), σε Ubuntu (12.04) και IE (9.0.15), με Windows 7 και δεν απαιτείται σύνδεση του χρήστη, όπως μπορείτε να δείτε στο βίντεο επίδειξης παρακάτω.



πηγή :



Сингапурский студент обнаружил серьезную уязвимость в OAuth и OpenID

OAuth и OpenID — очень популярные протоколы, которые совместно используются для авторизации и аутентификации. Приложение OAuth генерирует токены для клиентов, а OpenID предоставляет возможность децентрализованной аутентификации на сторонних сайтах, раскрывая персональные данные пользователей.

Студент Ван Цзин (Wang Jing) с факультета математики Наньянского технологического университета в Сингапуре нашел способ, как злоумышленник может перехватить персональные данные пользователей, перенаправив их на вредоносный сайт после авторизации. Речь идет об уязвимости типа скрытого редиректа (covert redirect), по аналогии с известной атакой open redirect.


В этом случае провайдер (Facebook, Google и проч.) видит, что информацию запрашивает нормальное приложение, но на самом деле пользователя скрыто направляют на другой сайт, заменив значение redirect_uri в URL.


Уязвимость затрагивает множество крупных сайтов, такие как Facebook, Google, Yahoo, LinkedIn, Microsoft, VK, Mail.Ru, PayPal, GitHub и другие. Все они выдают по запросу злоумышленника персональные данные пользователя. В случае Facebook это может быть имя, фамилия, почтовый адрес, возраст, место жительства, место работы и проч.


Кстати, open redirect входит в число 10 главных атак за 2013 год по версии OWASP.

Ван Цзин опубликовал видеоролик, в котором показывает способ эксплуатации уязвимости, на примере Facebook OAuth 2.0. По его словам, защититься от таких атак можно только с помощью «белого списка» сайтов для редиректа.