A security lapse in the official website of the Vatican city allowed anyone to post whatever they wanted as news. The official news publication of the Vatican was discovered by independent researcher Inti De Ceukelaire. As proof, he tweeted a picture of Vatican News falsely stating that Pope Francis had declared God to be an onion.
— Inti De Ceukelaire (@intidc) February 8, 2018
This is, by no means, De Ceuklaire's first rodeo. He's been responsible for exposing several security breaches in the past. A few months ago, he managed to gain access to several companies through their helpdesk by exploiting a vulnerability in Slack.
Unpatched XSS vulnerability found to be the cause.
De Ceukelaire encountered an unpatched cross-site scripting (XSS) vulnerability and exploited it. XSS is where an attacker injects their own code into a webpage. The code gets rendered in the user’s browser and can change the appearance of a page, or introduce undesired behavior.
XSS vulnerabilities are two types; reflected and stored. With stored XSS vulnerabilities, they’re often saved on compromised databases. Hence, every time the infected page is viewed, the malicious script is transmitted to the victim's browser. Stored XSS attacks are relatively harder to execute because of the difficulties in locating both a trafficked website and one with vulnerabilities that enables permanent script embedding.
Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The link is embedded inside an anchor text that provokes the user to click on it, which initiates the XSS request to an exploited website, reflecting the attack back to the user.
In the case of Vatican News, De Ceukelaire found a reflected vulnerability. Although the issue continues to exist, no permanent damage has been done, yet. The article has been scrubbed from the website, but the potential for another one showing up is there.
De Ceukelaire warned Vatican News about the issue on several occasions.
It is common practice among security researchers to abide by ethical disclosure practices. It means that researchers give vendors and websites a reasonable chance to fix issues before they’re made public. Unfortunately, the publication failed to acknowledge the issue, forcing him to disclose it. De Ceukelaire decided to disclose the issue to his Twitter account to his followers.
Although the hack is little more than a friendly prank, it highlights glaring flaws in the website's security. It opens up possibilities for people to pass off their content as 'news,' and the last thing we want is fake news written in a basement featured on the official Vatican News website.