IT 计算机信息网络安全技术

IT 技术

© IT 计算机信息网络安全技术 | Powered by LOFTER

About Group ( All Topics (At least 99.88% links) Vulnerable to XSS & Iframe Injection Security Attacks, Open Redirect Web Security Vulnerabilities

Vulnerability Description: all “topic sites” are vulnerable to XSS (Cross-Site Scripting) and Iframe Injection (Cross Frame Scripting) attacks. This means all sub-domains of are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. Meanwhile, some main pages are vulnerable to XSS attack, too. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to XSS and Iframe Injection attacks. In fact, for’s structure, the main domain is something just like a cover. So, very few links belong to them.

Simultaneously, the main page’s search field is vulnerable to XSS attacks, too. This means all domains related to are vulnerable to XSS attacks.

For the Iframe Injection vulnerability. They can be used to do DDOS (Distributed Denial-of-Service Attack) to other websites, too.
Here is one example of DDOS based on Iframe Injection attacks of others.

In the last, some “Open Redirect” vulnerabilities related to are introduced. There may be large number of other Open Redirect Vulnerabilities not detected. Since are trusted by some the other websites. Those vulnerabilities can be used to do “Covert Redirect” to these websites.

Vulnerability Disclosure:
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.

Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@Justqdjing)

(1) Some Basic Background

(1.1) Domain Description:

“For March 2014, 61,428,000 unique visitors were registered by comScore for, making it the 16th-most-visited online property for that month.” (The New York Times)

“, also known as The About Group (formerly About Inc.), is an Internet-based network of content that publishes articles and videos about various subjects on its "topic sites,” of which there are nearly 1,000. The website competes with other online resource sites and encyclopedias, including those of the Wikimedia Foundation, and, for March 2014, 61,428,000 unique visitors were registered by comScore for, making it the 16th-most-visited online property for that month. As of August 2012, is the property of IAC, owner of and numerous other online brands, and its revenue is generated by advertising.“ (Wikipedia)

"As of May 2013, was receiving about 84 million unique monthly visitors.” (TechCrunch. AOL Inc.)

“According to About’s online media kit, nearly 1,000 "Experts” (freelance writers) contribute to the site by writing on various topics, including healthcare and travel.“ (

(1.2) Topics Related to

"The Revolutionary Directory and Community Metasite. Hundreds of real live passionate Guides covering Arts, Entertainment, Business, Industry, Science, Technology, Culture, Health, Fitness, Games,Travel, News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms, Education, Computers, Hobbies and Local Information.” ( - Sites A to Z

Number of Topics

A: 66

B: 61

C: 118

D: 49

E: 33

F: 57

G: 39

H: 48

I: 32

J: 15

K: 13

L: 36

M: 70

N: 26

O: 23

P: 91

Q: 4

R: 32

S: 104

T: 47

U: 12

V: 9

W: 43

X: 1

Y: 4

Z: 1

SUM: 1039


In fact, those are not all topics of Some of the topics are not listed here such as,

So, there are more than 1000 topics related to

(1.3) Result of Exploiting XSS Attacks

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results:

   "Identity theft

   Accessing sensitive or restricted information

   Gaining free access to otherwise paid for content

   Spying on user’s web browsing habits

   Altering browser functionality

   Public defamation of an individual or corporation

   Web application defacement

   Denial of Service attacks (DOS)

“ (Acunetix)

… …


Related Articles:

热度 ( 18 )
  1. 白帽子安全数学日记 转载了此图片  到 竹意
  2. 白帽子安全数学日记 转载了此图片  到 测试想法
  3. 白帽子安全数学日记 转载了此图片  到 湛天雲海碧波影
  4. 白帽子安全数学日记 转载了此图片  到 文豆 & 文库
  5. 白帽子安全数学日记 转载了此图片
  6. 计算机网络技术数学日记 转载了此图片  到 行者路上有風有雨有彩虹
  7. 计算机网络技术数学日记 转载了此图片  到 绿意蛙鸣
  8. 计算机网络技术数学日记 转载了此图片  到 IT 计算机&信息网络 技术
  9. 计算机网络技术数学日记 转载了此图片