As election season began to simmer over the summer season, the Gallup polling firm rushed to patch towards a pair of cross-site scripting (XSS) vulnerabilities within the firm’s web site that left it weak to malicious actors.
Each flaws offered the chance for adversaries to carry out actions on behalf of customers, which may very well be used to control Gallup polling and analysis outcomes. These weaknesses are notably regarding heading right into a US election season that’s already being extensively focused by misinformation. Simply this week, as an illustration, the US Division of Justice accused Russia of a $10 million disinformation marketing campaign that sought to barrage social media with sufficient dangerous info to sway the presidential election in November.
Cybersecurity researchers with Checkmarx defined in a report on Sept. 9 that they first contacted the incident response crew at Gallup on June 23 to report the XSS flaws — the primary a mirrored XSS bug with a CVSS rating of 6.5 out of 10, and the second a doc object mannequin (DOM)-based XSS vulnerability with a CVSS rating of 5.4.
“In an period the place misinformation and id theft pose vital threats, the safety of survey platforms is essential, notably throughout pivotal international election cycles,” the Checkmarx crew wrote. “Gallup, the main survey firm, shortly addressed safety vulnerabilities that may very well be exploited to facilitate the dissemination of false info and compromise the non-public knowledge of customers.”
Gallup’s Cross-Website Scripting Vulnerabilities
Within the case of the primary mirrored XSS flaw, the researchers discovered that “the /kiosk.gx endpoint doesn’t correctly sanitize or encode the question string ALIAS parameter worth earlier than together with it on the web page.”
Exploitation of the vulnerability may permit malicious actors to execute code within the focused consumer’s navigation session to carry out varied actions on their behalf, the researchers added.
“It is essential to notice that this endpoint is often used to entry Gallup surveys, which can make customers extra vulnerable to exploitation,” the Checkmarx crew wrote. “This might result in unauthorized entry to personally identifiable info (PII), manipulation of consumer preferences, and different detrimental actions.”
Within the second flaw, the endpoint as soon as once more failed to guard question parameter values earlier than including them to the web page, giving a malicious actor one other alternative to carry out duties disguised because the goal customers and even take over the account altogether.
To keep away from comparable XSS flaws, the researchers at Checkmarx counsel that cybersecurity groups guarantee their knowledge is correctly encoded earlier than sending it to the response markup (HTML) or web page DOM. Additional, they suggest tweaking the content material safety coverage to dam areas the place the browser can fetch or execute scripts.
“The prevalence of misinformation was recognized as the highest international threat in 2024 by the World Financial Discussion board’s ‘World Dangers Report 2024,'” Checkmarx vice chairman of safety analysis Erex Yalon says. “[It’s important to] safe software program that’s vulnerable to exploits of malicious actors, educate and shut the data hole, and hopefully safeguard the integrity of the election course of.”