It has been reported today that TalkTalk has been urged to improve its security after a researcher found a “Cross Site Scripting” error allowing him to take control of a convincing looking “talktalk.co.uk” URL, which meant he could potentially trick any of the company’s webmail customers into thinking they were accessing an official TalkTalk website.
TalkTalk was apparently told about the flaw in March 2016 through a bug bounty program, however they only fixed it this week. In response to this piece of news, IT security experts commented below.
Ondrej Kubovic, Security Awareness Specialist at ESET:
“With the growing complexity of IT environments, the number of vulnerabilities that could be found and possibly misused by attackers, is growing every day.
This can make it increasingly difficult for IT teams to address all vulnerabilities immediately. With that said, it should be a top priority to patch known major vulnerabilities as soon as possible, especially if they affect public-facing company assets.
“Cross site scripting is a very serious vulnerability but what is more worrying is the response from TalkTalk. They have a duty of responsibility to their customer that is not only a corporate responsibility but is also mandated by regulation and legislation. Unfortunately this response, or lack there of, is much too common, which is why public disclosure is sometimes necessary. Security researchers responsibly disclosing flaws may actually put enough pressure on the company affected to close the vulnerability, thus protecting the public.”
“This is a relatively standard phishing exercise and, as is always advised, consumers need to be vigilant when logging into websites. TalkTalk might be of the belief that the risk presented to customers from the fake website was low, but the opposite is true. Any customer could easily have mistaken this site for the real one, entered their log-in details and then have them hoovered-up by the hacker to use on the real version. On top of that, people have a habit of using the same username and password across multiple sites, so the hackers could then have gone on to brute-force multiple sites.
“A fake website popping up is not necessarily the fault of a brand, but getting rid of it is their responsibility. A lot of businesses get caught out by security 101 issues and, despite the very public consequences, many are clearly still struggling with basic cybersecurity practices.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.