Popular site for About.com also known as The About Group is been suffered from the highly severity vulnerability and lefts its millions of users under threats. Site which had recorded 98 million visitors in a month, seems that it doesn't care about its users security.
For Iframe Injection (Cross Frame Scripting, XFS) attack, Jing says that attacker can used the bug for Denial of service attack against other websites. According to Jing, the vulnerabilities can be attacked without user login and work across all the popular browsers.
A security researcher, Wang Jing, disclosed Monday that "at least 99.88%" of all topic links and all domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks.
Wang Jing have disclosed a massive security loopholes on about.com and he had reported the issue on Sunday, Oct 19, 2014 but Jing received no response. Untill now after the public disclosure he had not received any response and all the vulnerability is still unpatched.
Jing added,
Wang Jing have disclosed a massive security loopholes on about.com and he had reported the issue on Sunday, Oct 19, 2014 but Jing received no response. Untill now after the public disclosure he had not received any response and all the vulnerability is still unpatched.
"Simultaneously, the About.com main page's search field is vulnerable to XSS attacks too. This means all domains related to About.com are vulnerable to XSS attacks."Because of critical and large scale nature of issue, Jing have made a detailed report and proof-of-concepts video (Shown below) of the vulnerability. He wrote his disclosure on his own blog and also on the security blog.