How long? TalkTalk failed to fix cross-site scripting error until this week, despite being informed two years ago
TalkTalk is once again facing negative headlines after it emerged it has taken the Internet Service Provider (ISP) nearly two years to fix a serious vulnerability.
The flaw was discovered by an anonymous hacker/security researcher known simply as ‘B’, after he found a “cross site scripting” error that allowed him to take control of a convincing looking “talktalk.co.uk” URL.
This meant that the hacker could have potentially tricked any of the ISPs webmail customers into thinking they were accessing an official TalkTalk website. He could then steal their login details.
The hacker contacted Sky News about the website flaw that went unfixed for years.
The hacker showed Sky News a secure demonstration which revealed how easy it would be to steal a victim’s login details, and any other sensitive information, if he could get the individual to click on the link.
The hacker reportedly said this could be done via targeting customers with email phishing techniques, or by circulating his own link around tech support forums or on social media.
And to make matters worse, it seems that TalkTalk only fixed the flaw this week after Sky News got in touch.
This is despite the fact that the ISP had been first alerted to the bug via its “bug bounty” platform way back in March 2016 – two years ago.
“The vulnerability is worryingly easy to locate,” the hacker told Sky News, before the ISP fixed it. “The vulnerable page and parameters can be identified within seconds of looking at the website.”
“After initially identifying it, we also discovered that it was submitted to a bug bounty platform in 2016,” the hacker is quoted as saying. “Relevant notification was issued to TalkTalk and we’ve made multiple attempts to get them to fix it.”
“What I can’t understand is why such neglect is applied to TalkTalk’s website security,” he added. “TalkTalk’s website has a history of vulnerabilities. One would assume that after the attack in 2015, they would pay more attention to the state of their security.”
TalkTalk’s security of course have been at the centre of a number of unwelcome headlines, and most notably the ISP was slapped with a record £400,000 fine by the Information Commissioner’s Office after a major breach in October 2015.
The firm was fined a further £100,000 in August 2017 after data belonging to 21,000 customers was exposed to “rogue” staff at a call centre in India.
TalkTalk reportedly told Sky News that it knew about this latest security flaw but deemed the risk low enough to leave it unpatched.
A TalkTalk spokesman said there was “no evidence to suggest that any customers were affected” by the “theoretical issue”, which they said had been resolved.
“We of course take all security issues very seriously,” said TalkTalk. “Like any phishing attempt, customers would only be exposed if they were sent and followed a malicious web address.”
“We regularly advise customers about the dangers of following links in phishing emails and we provide customers with free, industry-leading tools to protect against relevant viruses and malware,” the ISP said. “We will shortly be completing a major upgrade of our email service for all customers. In the meantime, customers should continue to access their webmail services normally.”
But that decision to allow the flaw to remain unpatched for two years has drawn a swift rebuke from some within the cybersecurity sector.
“Cross site scripting is a very serious vulnerability but what is more worrying is the response from TalkTalk,” said Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies.
“They have a duty of responsibility to their customer that is not only a corporate responsibility but is also mandated by regulation and legislation,” said Galloway.
“Unfortunately this response, or lack there of, is much too common, which is why public disclosure is sometimes necessary,” Galloway added. “Security researchers responsibly disclosing flaws may actually put enough pressure on the company affected to close the vulnerability, thus protecting the public.”
Another expert also lamented TalkTalk’s tardy response.
“Organisations should aim to fix or mitigate all vulnerabilities within a reasonable time frame, even when they are small, low severity bugs,” said Aaron Zander, IT Engineer at bug bounty platform HackerOne. “Cybersecurity is about building trust with the public. Waiting two years to fix a bug could give the impression that a company takes a lax approach to security.”
“It is therefore important that they address any security issues quickly so they do not escalate,” said Zander. “Was this the largest exploit ever? No. But not fixing it for years doesn’t bode well for any additional issues they may have.”
Do you know all about security? Try our quiz!