XSS and Cookie Handling Vulnerabilities Identified on HTC Website, Allows Attacker to Hijack Account

16-year-old security researcher Thamatam Deepak has identified a number of three cross-site scripting (XSS) vulnerabilities and a cookie handling flaw on the website of world-renowned smartphone manufacturer HTC.

The expert said the vulnerabilities – which affected pages such as product security, account information, and smartphone presentation – have been addressed by HTC after he notified them, according to The Hacker News

If unfixed, the XSS vulnerabilities could have been leveraged by a remote attacker to inject arbitrary content, while the cookie handling flaw might have been exploited to hijack user accounts.

This isn’t the first time when security experts find XSS bugs on HTC’s website. Back in April, researcher Shadab Siddiqui identified similar flaws and reported them to the company.

However, at the time, they failed to respond to his notifications and the vulnerabilities remained unfixed for months.

No comments: