Vulnerability in Official Vatican News Site Allows Hacker to Declare God an Onion

A security lapse in the official website of the Vatican city allowed anyone to post whatever they wanted as news. The official news publication of the Vatican was discovered by independent researcher Inti De Ceukelaire. As proof, he tweeted a picture of Vatican News falsely stating that Pope Francis had declared God to be an onion.

Related German Politicians Call for Making Targeted Fake News Campaigns a Criminal Offense

This is, by no means, De Ceuklaire’s first rodeo. He’s been responsible for exposing several security breaches in the past. A few months ago, he managed to gain access to several companies through their helpdesk by exploiting a vulnerability in Slack.

Unpatched XSS vulnerability found to be the cause.

De Ceukelaire encountered an unpatched cross-site scripting (XSS) vulnerability and exploited it. XSS is where an attacker injects their own code into a webpage. The code gets rendered in the user’s browser and can change the appearance of a page, or introduce undesired behavior.

XSS vulnerabilities are two types; reflected and stored. With stored XSS vulnerabilities, they’re often saved on compromised databases. Hence, every time the infected page is viewed, the malicious script is transmitted to the victim’s browser. Stored XSS attacks are relatively harder to execute because of the difficulties in locating both a trafficked website and one with vulnerabilities that enables permanent script embedding.

Related Moscow Aims To “Destabilize Germany,” as Berlin Sees Increase in Russian Propaganda and Cyber Spying

Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The link is embedded inside an anchor text that provokes the user to click on it, which initiates the XSS request to an exploited website, reflecting the attack back to the user.

In the case of Vatican News, De Ceukelaire found a reflected vulnerability. Although the issue continues to exist, no permanent damage has been done, yet. The article has been scrubbed from the website, but the potential for another one showing up is there.

De Ceukelaire warned Vatican News about the issue on several occasions.

It is common practice among security researchers to abide by ethical disclosure practices. It means that researchers give vendors and websites a reasonable chance to fix issues before they’re made public. Unfortunately, the publication failed to acknowledge the issue, forcing him to disclose it. De Ceukelaire decided to disclose the issue to his Twitter account to his followers.

Although the hack is little more than a friendly prank, it highlights glaring flaws in the website’s security. It opens up possibilities for people to pass off their content as ‘news,’ and the last thing we want is fake news written in a basement featured on the official Vatican News website.

Tweet Share
View Comments

Related

Germany Is Worried of "Fake News" Impacting Voter Opinion After Trump's Election Win

Intel Replies To 10nm Process Node Cancellation Rumors: "We Are Making Good Progress on 10nm"

Xiaomi Black Shark Helo Is the World’s First 10GB RAM Phone; Liquid Cooling Solution Present, but Retains Older Aesthetic

OnePlus 6T Will Have A 3700mAh Battery, Dual SIM Support Shows Leak

Enjoy 2TB Data Storage With Zoolz Cloud Storage Lifetime - Massive 98% Discount Available For A Few Days