There is no number we can put to the combine following of Manchester United, Manchester City & Everton. These football clubs have millions and millions of worldwide following. While these clubs be divided by their fans and beliefs, there is something that unites these clubs: a security vulnerability! Yes, you heard it right. A critical security vulnerability was found by a researcher in the websites of all these clubs.
Meet Robbie
Robbie is a British security researcher who is expert at finding Cross Site Scripting (XSS) vulnerabilities in websites. He participates in bug-bounty programs of various companies. A month ago, he decided to check security status of the websites of various football clubs and ended up finding XSS vulnerabilities in:
- Chelses Club’s Main Website
- Everton Club’s Main Website
- Everton FC’s Web Shop
- Chelsea’s Megastore
- Manchester United’s Main Website
Apart from the above, Robbie has also found some critical vulnerabilities in ASK.com, a famous car dealership CMS system and even SkySports. The quickest find being the one in car dealership CMS which took him just two minutes to find. Though, it took a few months for developers to fix the bug.
XSS Vulnerability in Famous Football Clubs
- XSS in Chelsea
- Manchester United XSS
- XSS in Everton
Consequences of XSS
XSS is often regarded as a ‘low hanging fruit’ in web security industry. This is because it is easy to find XSS in websites and modern day web apps seem to have a lot of it. But this doesn’t mean that XSS should be taken lightly, which it often is by developers. A few direct consequences of XSS in websites of clubs like Chelsea, Manchester United and Everton include:
- Targeted attacks on website users to compromise their personal data (username, passwords, session data)
- If the XSS is stored, a mass attack on all the users of the websites
- Changing of website flow as per hacker convenience
While these might only a few consequences, XSS holds many more angles to it. To learn more about XSS, it’s consequences and how to prevent you can refer to the detailed article here.