While running an initial check on https://www.sothebysrealty.com/ that just experienced a supply chain attack on over 100 real estate websites operated by the company, Cyberpion discovered that sothebys.com, the multinational of which Sotheby’s International Realty is a subsidiary, is not adopting the best security policies that should have been implemented from past experience, especially considering their site was infected with digital skimming code back in 2018.
Other key findings include:
- Sotheby’s home page (sothebys.com) is accessible over an insecure connection:
- This page also refers to their login page (which is loaded securely), but a manipulation on the main site can affect access to the login page as well
- The main domain is serving Mixed Content – HTTPS content is served over HTTP when accessing the site over HTTP, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers
- There is no Content Security Policy (CSP) that’s now recommended for websites
- When registering for their newsletter via the site.