Kika is the name of a tv channel maintained by ARD and ZDF. This channel is very popular to childrens, because programs like “Sendung mit der Maus” or “Sandmännchen” are broadcasted there. Wikipedia states that the website kika.de offers the possibility to watch livestreams or gather additional information about the programs. In our opinion is very important especially when the user group is yound and unexperienced. This was our main reason to take a look at kikas security.
After we got an overview over the website, it seemed like there weren’t any vulnerabilites. But before we finished the tests we discovered a cross site scripting vulnerability in the search function. This vulnerability allows an attacker to manipulate the appearence and/or behaviour of the website in the context of his victim.
We contacted the webmaster on the 13th of june and forwarded all information about the xss. Three days later the described xss vulnerability was fixed by the security team and again three days later they sent us an friendly answer. At this point we want to thank kikas editorial staff for the competent and responsible handling of the vulnerability.
The team of internetwache.org
Screenshots
