In the near past we’ve scanned some well known grocery stores of germany. Many people are visiting their homepages, and so hackers might be interested that websites. However, we discovered some cross site scripting vulnerabilites in a forgotten script at lidl.de’s homepage.
All vulnerable scripts were accessible under the domain newsletter.lidle.de. The used parameters were not cleared ordinary before being embedded into the pages’ html code, what lead to cross site scripting. A cross site scripting vulnerability enables the attacker to manipulate the behaviour and/or appearence of the website. Using these technics an attacker could trick his victim into revealing his personal information.
We contacted lidls support team on the 18th of june 2012. The first response we got was an automated email, which stated that our message successfully was registered in their support system. Some nine days passed until we received a reply, that the right department was informed about the vulnerabilities. Finally the issue was resolved by lidl on the 12th of july through deleting all files under the mentioned subdomain, because they replaced them with a newer version.
In the end, it took lidl 24 days to - not really fix - a simple cross site scripting issue. In this case, the internal communication process delayed the fix. We would appreciate to see an email address to the webmaster in the imprint, to improve the ways of fixing the security breaches.. Our thanks are going to all employees of lidl, because they were friendly and finally fixed the security whole.
The team of Internetwache.org
Screenshots:
