Posted by on in iNews | 10 comments

The Indian shopping portal Shopping is vulnerable against XSS attacks & can allow phishers etc. to get you to input your username, password & credit card data as well.

This security hole reported by Deep Ganatra on 29th January 2005, is still unpatched by Indiatimes after more than 4 months!! Indiatimes & its developers are a bunch of morons & dunder-heads, that I’m now sure of!! They don’t take customer security seriously, take your credit card info etc. for granted & I’d advise you not to shop there!!

For example, this URL is the original URL of Indiatimes Shopping page for USB MP3 players. Now click this, & you’ll be redirected from Indiatimes Shopping site to Google. All I did was just remove the title of the page which is passed in the querystring & replace it with the following JavaScript

  1. document.location.href("");

enclosing it with the <script> & </script> tags. This is just a simple example, it can be leveraged by phishers to re-direct you to Indiatimes look-alike pages on their servers & make you reveal your credit card info etc.

The thing is that the Indiatimes shopping application is sending the page title in the querystring to another page, why is it doing that, I wonder, because if I’m not wrong, they are getting the page title from the database, so why not get it from the database on the relevant page instead of passing it in the query string?? That’s poor coding architecture & the worse thing is that their developers/programmers are ignorant or rather illiterate about the security threats, XSS etc. 🙄 How the hell these hot-shots got the jobs at Indiatimes, I wonder even more!!

So for the record, stay away from Indiatimes Shopping if you don’t want to be the next target of phishers!! You never know who will sneak up on you & when!! 👿