About Group About.com All Topics (At least 99.88% links) Vulnerable to Iframe Injection (Cross Frame Scripting) Security Attacks
About.com all “topic sites” are vulnerable to Iframe Injection (Cross Frame Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to Iframe Injection attacks. In fact, for about.com‘s structure, the main domain is something just like a cover. So, very few links belong to them.
For the Iframe Injection vulnerabilities. They can be used to do DOS (Denial-of-Service Attack) to other websites, too.
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.
(1.1) Domain Description:
“For March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month.” (The New York Times)
“About.com, also known as The About Group (formerly About Inc.), is an Internet-based network of content that publishes articles and videos about various subjects on its “topic sites,” of which there are nearly 1,000. The website competes with other online resource sites and encyclopedias, including those of the Wikimedia Foundation” (Wikipedia)
“As of May 2013, About.com was receiving about 84 million unique monthly visitors.” (TechCrunch. AOL Inc.)
“According to About’s online media kit, nearly 1,000 “Experts” (freelance writers) contribute to the site by writing on various topics, including healthcare and travel.” (About.com)
(1.2) Topics Realted to About.com
“The Revolutionary About.com Directory and Community Metasite. Hundreds of real live passionate Guides covering Arts, Entertainment, Business, Industry, Science, Technology, Culture, Health, Fitness, Games,Travel, News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms, Education, Computers, Hobbies and Local Information.” (azlist.about.com)
About.com – Sites A to Z
Number of Topics
In fact, those are not all topics of about.com. Some of the topics are not listed here such as,
So, there are more than 1000 topics related to about.com
(1.3) Basics of Iframe Injection (Cross-frame-Scripting) Vulnerabilities
“XFS also sometimes is used to describe an XSS attack which uses an HTML frame in the attack. For example, an attacker might exploit a Cross Site Scripting Flaw to inject a frame into a third-party web page; or an attacker might create a page which uses a frame to load a third-party page with an XSS flaw.” (OWASP)
(2) Vulnerabilities Details:
About Group has a security problem. It can be exploited by Iframe Injection (Cross Frame Scripting) attacks.
The vulnerability occurs at about.com “offsite.htm” page with “zu” parameter, e.g.
The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7.
Use one of webpages for the following tests. The webpage address is “https://itinfotechnology.