Gallup, the well-known international market research company, has moved to block security flaws on its website.
The cross-site scripting (XSS) vulnerability could have exposed personal data or been used to spread false information. The flaws came to light as the US presidential election moves up a gear, with concerns about malicious actors spreading misinformation.
Researchers at Checkmarx found two XSS flaws on Gallup’s website. The flaws were a Reflected XSS vulnerability, with a CVSS score of 6.5, and DOM-based XSS, rated at 5.4. Checkmarx researchers originally found the flaws and reported them to Gallup in June, and the market research company has since fixed the vulnerabilities.
According to Checkmarx, XSS vulnerabilities allow attackers to bypass same origin policies, impersonate users and access their data. Moreover, if a user has privileged access, attackers could “gain full control over an application’s functionality and data.”
The reflected cross scripting vulnerability affected a kiosk application on Gallup’s website, used to launch surveys. The flaw could have allowed the execution of arbitrary code, resulting in access to personal data and even the ability to add an unauthorized product to the user’s shopping cart.
The DOM (Document Object Model) based XSS flaw at my.gallup.com could allow attackers to execute arbitrary code in a victim’s navigation session, potentially resulting in account takeover.
Checkmarx has published proof of concepts for both flaws.
Checkmarx advised Gallup to add or adjust its content security policy and “to restrict locations where the browser can fetch and execute scripts,” as well as “properly encode data according to the output context it will be included before appending it to the response markup (HTML) or page DOM.”
The researchers report that the flaws were addressed by Gallup.
“The Checkmarx team uncovered a flaw in website code at polling company Gallup that could have allowed threat actors to post customized ‘fake news’ content on that site,” Erez Yalon, VP of security research at Checkmarx, told Infosecurity.
“Exploiting cross-site scripting (XSS), the Checkmarx team demonstrated how false poll results could have been posted to the Gallup website. Checkmarx worked with the Gallup security and website teams to remediate the security vulnerability, which the Gallup teams completed swiftly.
“During a US presidential election year where swing voters are said to be the deciding votes in that deeply divided nation, it’s clear that a threat actor could post false polling results that could lead less motivated swing voters to decide that their votes don’t count and to sit out the voting process.”
Earlier this year, the World Economic Forum (WEF) highlighted misinformation and disinformation in its Global Risks Report. Misinformation is the most severe risk, and is rising rapidly, according to the WEF.