In the run-up to Christmas, online stores were booming, and the Corona lockdown shortly before Christmas may have brought further traffic to the virtual shops. But even those who stayed away from city centers and shopped on their couches at home were at risk: Clothing store Dedoles failed to plug security holes on its website for months.
Dedoles sells mainly funny socks, pants and boxer shorts. And very successfully, if you believe the company’s information: According to this, more than one million customers have already ordered from Dedoles, the Slovakian company is active in 19 European countries, including Germany. However, security expert Daniel Ruf was not interested in the colorful socks, but in the IT security of the store.
Cross site scripting again
Ruf promptly discovered several vulnerabilities of the type “Cross Site Scripting” (XSS) in the store system. He didn’t have to search long for them: The first one he found right on the start page, in a central function of the store.
Funny socks, holey store: Dedoles has been having problems with XSS leaks for months now.
XSS leaks are among the most common security problems on websites. If a server fails to check user input, for example, typed search terms, then an attacker gets the chance to inject his own code into the website. This is then executed by the victim”s browser in the context of the site. The attacker can thus, for example, leak payment data or distribute malware.
Such gaps are dangerous, but also easy to fix. Only minor changes to source code are needed to filter out potentially dangerous characters from user input and effectively prevent the injection of malicious content.
Daniel Ruf had dutifully informed Dedoles about his findings in the hope that the holes would be closed before they were discovered by cyber thugs. But nothing has happened: "So far, there has been no response or reaction from Dedoles to my messages," he explained to c’t. He therefore asked us to take on the case.
We then looked for a suitable contact at the sock store and contacted the company’s press office on 20. October, we contacted the company’s press office. Our mail contained not only all the information needed to fix the vulnerabilities, but also some standard questions: how long have the security holes existed, have they already been used by cyber villains, and so forth.
The company did not respond to our mail either. About a month later, on November 16. November, we contacted Dedoles again. Also this time we waited a month for an answer – in vain. Our questions remain unanswered, the gaps unpatched.