Security research firm finds vulnerabilities in the website of the WEF, which organises the annual conference in Davos
A security flaw on its website led to the World Economic Forum at Davos leaking attendee’s email addresses for at least five days in mid-January.
Embarrassingly for the organisation, even while their insecure website was exposing attendees’ information, the World Economic Forum released a report arguing that a failure to deliver “a robust, co-ordinated approach to cybersecurity” could cost the world up to $3 trillion.
The security flaws were revealed by information-security firm High-Tech Bridge, which discovered three major vulnerabilities on the WEF website, as well as one lesser vulnerability that leaked the emails of users.
The major vulnerabilities were all of a type known as cross-site scripting (XSS), which allows attackers to run their own commands on the target website. Not every XSS vulnerability can be exploited, but all are potential vectors of attack. At their worst, attacks using XSS can hijack a user’s machine entirely.
Thousands of emails
The firm also discovered a second flaw, which they say would have allowed them to harvest thousands of emails held by the organisation. The flaw was in the company’s contact form, and allowed attackers to change a simple parameter to expose email addresses associated with the forum. It’s unclear exactly which database the addresses were being drawn from, but they include individuals with addresses ending in @hsbc.com, @london2012.com and @kpmg.ca.
Despite High-Tech Bridge contacting WEF, the organisation didn’t fix the vulnerabilities until the security researchers went public with what they had found on Wednesday, five days after the Forum was first contacted.
“It’s regrettable that such respectable, large and important organisations as the WEF don’t pay enough attention to web security,” says Ilia Kolochenko, the chief executive of High-Tech Bridge. “This may not only put their own infrastructure at risk, but their stakeholders’ as well. Hopefully, they will change their security policy soon and provide security researchers with a responsive security contact, just like many other companies and organisations do today.
“I sincerely hope that these vulnerabilities were not exploited by hackers for whom WEF and its participants are very attractive targets.”
‘Trolling for business’
A WEF spokesman told the Guardian not to take High-Tech Bridge’s claims seriously, saying that the firm was “trolling” having failed to secure a contract with the forum.
“It’s deeply unprofessional behaviour by any company to go around trying to troll for business,” the spokesman added. “We review all of our stuff as we go along, we review it internally and externally, and we’re satisfied with the security we have in place on our website.
Kolochenko says “that we have never entered into a bid for a contract with WEF, nor were we trolling for business. We simply found those website vulnerabilities after surfing the WEF website for information about the Davos annual meeting. We have alerted several companies to website vulnerabilities we’ve found, for free, and have a proven track record of this without requesting referrals or payment from them. So, why on Earth would we start now with the WEF’s?
“Surely the fact that someone from WEF called us yesterday to apologise for WEF’s delay in responding, thanked us and let us know that the vulnerabilities we had found had been fixed demonstrates that we were right.”
The World Economic Forum’s annual meeting at Davos in Switzerland began on Tuesday and continues until Saturday 25 January. This year’s theme is “The Reshaping of the World”, and attendees include Bill Gates, Kofi Annan and John Kerry. The pope did not attend, but did contribute a special address to the meeting. Source