It has been reported today that TalkTalk has been urged to improve its security after a researcher found a “Cross Site Scripting” error allowing him to take control of a convincing looking “talktalk.co.uk” URL, which meant he could potentially trick any of the company’s webmail customers into thinking they were accessing an official TalkTalk website.
TalkTalk was apparently told about the flaw in March 2016 through a bug bounty program, however they only fixed it this week. In response to this piece of news, IT security experts commented below.
Ondrej Kubovic, Security Awareness Specialist at ESET:
“With the growing complexity of IT environments, the number of vulnerabilities that could be found and possibly misused by attackers, is growing every day.
This can make it increasingly difficult for IT teams to address all vulnerabilities immediately. With that said, it should be a top priority to patch known major vulnerabilities as soon as possible, especially if they affect public-facing company assets.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies:
“Cross site scripting is a very serious vulnerability but what is more worrying is the response from TalkTalk. They have a duty of responsibility to their customer that is not only a corporate responsibility but is also mandated by regulation and legislation. Unfortunately this response, or lack there of, is much too common, which is why public disclosure is sometimes necessary. Security researchers responsibly disclosing flaws may actually put enough pressure on the company affected to close the vulnerability, thus protecting the public.”
Brooks Wallace, Managing Director EMEA at Trusted Knight:
“This is a relatively standard phishing exercise and, as is always advised, consumers need to be vigilant when logging into websites. TalkTalk might be of the belief that the risk presented to customers from the fake website was low, but the opposite is true. Any customer could easily have mistaken this site for the real one, entered their log-in details and then have them hoovered-up by the hacker to use on the real version. On top of that, people have a habit of using the same username and password across multiple sites, so the hackers could then have gone on to brute-force multiple sites.
“A fake website popping up is not necessarily the fault of a brand, but getting rid of it is their responsibility. A lot of businesses get caught out by security 101 issues and, despite the very public consequences, many are clearly still struggling with basic cybersecurity practices.”