Most concerning, High-Tech Bridge discovered two XSS vulnerabilities on the main site, and one in a subdomain. It said that it notified WEF, but has yet to get a response.
The ramifications aren’t good: hackers can perform drive-by attacks via XSS that can infect a website visitor’s machine and turn it into a zombie, just by clicking on a specially crafted link on the vulnerable website. Also, hackers can steal cookies, website credentials and browser histories.
“Critical web vulnerabilities such as SQL Injections or remote command executions are becoming rare and difficult to exploit as web developers are more and more aware of them,” the company said in a blog post. “However, the number of medium-risk vulnerabilities, such as XSS, is permanently growing. Being a medium-risk vulnerability, XSS usually provides a larger number of attack and exploitation opportunities to hackers than other web vulnerabilities, as it does not target the web application, but rather website visitors and administrators.”
Further examination revealed an ability to uncover personal email addresses of WEF members via the site.
“We can presume that at least several thousands of forum stakeholders’ emails can be disclosed to spammers because of this vulnerability,” HighTech said. “The biggest risk here is that these personal emails can be used by hackers to perform targeted attacks in pair with XSS vulnerabilities, that make quite an explosive and efficient hacking cocktail.”
Also, a third issue exists in the form of the SSL certificate on the www.weforum.org site: It is invalid, and therefore cannot correctly encrypt the traffic between the end-users and the web server, putting website visitors’ privacy at risk.
"It’s regrettable that such respectable, large and important organizations like the WEF don’t pay enough attention to web security,” said Ilia Kolochenko, High-Tech Bridge’s CEO. “This may not only put their own infrastructure at risk, but their stakeholders as well.”
He added, “Moreover, the vulnerabilities we reported are quite possibly just the tip of iceberg, as without their [WEF] permission we didn’t want to perform any further more ‘intrusive’ security checks that can reveal much more serious vulnerabilities. I sincerely hope that these vulnerabilities were not exploited by hackers for whom WEF and its participants are very attractive targets."
The WEF hasn’t issued a statement on the situation.