Heise.de is one of the biggest technology-news-portals, which started back in 1996. Since then a lot of things have changed. For example heise.de now has different categories for every topic. In short terms: all nerds, geeks, technology-affine people cannot miss Heises’ news reports if they want to on top of newest technology news. However, a such a big portal can sometimes be vulnerable, too.
After a while we discovered a GET-parameter called “backlink”, which sets a href-attribute in a backlink. Setting the value of the parameter to “javascript:alert(/XSS/)” and clicking on the generated link triggered the XSS. The attacker would have been able to steal the users cookies (see screenshot below).
We contacted “heise security” and told them about this complex attack scenario. Some hours later we received a friendly email that they’ve forwarded the information to the responsible person. They were very thankful and on the next morning the issue was resolved by removing the “back”-link.
We would like to thank Heises Team for the competent handling, the (very) fast fix and all the awesome articles we can read every day ;)
The team of internetwache.org
Screenshots:
