The official website of InMobi, one of the largest independent mobile advertising networks in the world, was found to contain some serious vulnerabilities that could be exploited at any time by cybercriminals. Unfortunately, the issues are ignored by the company.
According to Indian security researcher Shadab Siddiqui, the website contains not only a lot of sloppy code and broken links, but also some cross-site scripting (XSS) and Iframe Injection flaws.
So let’s take a look at the dangers users can be exposed to as a result of these vulnerabilities.
First of all, a cybercriminal can leverage the XSS security holes to inject malicious scripts that alter the webpage. Combined with social engineering, the XSS flaws can allow attackers to launch phishing scams designed to steal sensitive data from the unsuspecting victim.
The worst thing about XSS attacks is that the victim sees the malicious content as belonging to the site, making him believe that the site’s owners are presenting him with the phishing form, or whatever other elements the crooks have in store.
Another issue that affects the site refers to the fact that in some sections the user credentials are sent in clear text, which may allow a third party to steal them by intercepting an unencrypted HTTP connection.
The user login page appears to use a HTTPS connection, but there are some webpages that rely on HTTP.
One way to add another security layer to a site to protect it against XSS attacks is marking cookies as HTTPOnly. Unfortunately, in this case the cookies are not marked, allowing a hacker to steal them and hijack the victim’s session.
InMobi representatives were contacted and provided with a complete report, but so far they have failed to reply to our inquiries.