{"id":5286,"date":"2024-09-10T06:00:00","date_gmt":"2024-09-10T11:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/gallup-xss-bugs-website"},"modified":"2024-09-10T06:00:00","modified_gmt":"2024-09-10T11:00:00","slug":"gallup-addresses-xss-bugs-in-website","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/10\/gallup-addresses-xss-bugs-in-website\/","title":{"rendered":"Gallup Addresses XSS Bugs in Website"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/bltf952dafa8434c588\/66d8bbd6eb910ac09f0fc1e9\/gallup_organization_Kristoffer_Tripplaar_Alamy.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">UPDATE<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold ContentText-BodyTextChunk_italic\">Editor&#8217;s Note: Dark Reading has become aware that a portion of the original Checkmarx research on these vulnerabilities is in dispute, prompting us to retract sections of our reporting below.<\/span><\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company&#8217;s website that left it vulnerable to misuse by malicious actors.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/endpoint-security\/oauth-xss-attack-millions-web-users-account-takeover\" rel=\"noopener\">the XSS flaws<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> \u2014 the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The flaws do not impact any of Gallup\u2019s internal data or polling.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"Gallup's Cross-Site Scripting Vulnerabilities\">Gallup&#8217;s Cross-Site Scripting Vulnerabilities<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">In the case of the first reflected XSS flaw, the researchers found that &#8220;the \/kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.<\/span><\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.<\/span><\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">A third update was made at 1:03PM ET on Sept. 12, 2024, to remove sections of the article that were based on now-disputed portions of the original Checkmarx blog.<\/span><\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/gallup-xss-bugs-website\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>UPDATE Editor&#8217;s Note: Dark Reading has become aware that a<\/p>\n","protected":false},"author":12,"featured_media":5287,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5286","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?fit=2132%2C1136&ssl=1",2132,1136,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?fit=300%2C160&ssl=1",300,160,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?fit=640%2C341&ssl=1",640,341,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?fit=640%2C341&ssl=1",640,341,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?fit=1536%2C818&ssl=1",1536,818,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?fit=2048%2C1091&ssl=1",2048,1091,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?fit=1024%2C546&ssl=1",1024,546,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/gallup-addresses-xss-bugs-in-website.jpg?fit=2132%2C1136&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5286"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5286\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5287"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}