The “Spiegel” is one of the most popular news magazines in Germany. The Spiegel realized a long time before their competitives that it’s important to get a strong position in the new and upcoming internet market - the reason why they built up their first web presence in 1994. Today it’s one of the most popular and widely covering in Germany. It’s quite fun to browse through their website - especially due to their clarity and many useful and vivid applications, but this should go hand in hand with security.
We’ve discovered two Cross-Site Scripting vulnerabilities on two different subpages of the spiegelonline.de domain. One has been found on “kopfsache.spiegelonline.de” and the other one on the login page for the students’ living community “studenten-wg.spiegelonline.de”.
We tweeted Spiegelonline on 16. Feb. 2012 and asked for an inhouse contact who’s responsible for their website security. Two days after contacting, we received the awaited response via Twitter and mailed all details to the technical director. We were told that both subpages are maintained by two different service providers and both of them have been informed.
The XSS vulnerability on “studenten-wg.spiegelonline.de” has been fixed only a week later, and finally on 28. Sept. 2012 the second flaw on “kopfsache.spiegelonline.de” has been fixed too. We would like to say “thank you” to the Spiegelonline team for the quite quick fix and can successfully close another case here.
The team of internetwache.org
Screenshots:
