The official site of Tanishq, one of the most famous jewelry brands in India, has been reported as containing a large number of vulnerabilities that could expose their customers to malicious operations.
Tanishq is a subsidiary of Titan Industries and it’s highly promoted by the largest conglomerate in India, the Tata Group.
Security researcher Shadab Siddiqui reveals that the official online store contains cross-site scripting (XSS), Iframe Injection and many other flaws that could seriously affect users who want to purchase products.
“Tanishq online shopping platform is so vulnerable that one can hijack one session and buy products with the credentials of someone else,” the expert explained.
“For example, consider you logged in and shopped for 100 USD and I hijacked your session (as the cookies contain credit card no, etc.). I can shop for 10,000 USD and even if you will get the material, but you also end up paying for it.”
The screenshots provided by the expert demonstrate how easily a cybercrook could steal a customer’s cookies and implicitly his session. They also show how the site can be altered by someone who leverages the Iframe Injection security hole.
Just imagine a malicious site being placed in the location where the Google page has been injected. The results could be devastating.
Tanishq has been contacted nearly a month ago, but so far they haven’t responded. Unfortunately, this may be one of those situations in which a high-profile company doesn’t put a large price on security, or simply doesn’t know how to handle these types of incidents.
On the other hand, as the expert highlights, the organization’s connections to Tata Consultancy Services (TCS), a global leader in IT services, should ensure that these types of vulnerabilities aren’t present, or at least that they are addressed quickly.