UPDATE: at 1:45 p.m. Heise reported:
Lieferando.de closes security gaps
The pizza ordering service Lieferando.de has closed a gap on its website that could potentially allow attackers to take over accounts. The company assures that user data was never at risk.
All information on HEISE
Due to an insecure search field and a lack of improvement to date, fraudsters have managed to take over Lieferando accounts
Security researcher Robert Kugler became aware of a security flaw in the search field of the delivery service's website and contacted the company about a month ago. In order to warn registered customers and because he did not receive a satisfactory response from the company, Kugler contacted heise Security .
Check not sufficient
According to Kugler, the entries in Lieferando's search field are not sufficiently checked, so that fraudsters can smuggle code into a web browser via cross-site scripting (XSS), which is then executed.
The dangerous thing about it: the attackers can read cookies and get access to the user data written in them and thus control user accounts. It would also be possible to redirect users to another page using the login button or even install an exploit kit on the page.
Problem has not been resolved yet
In the conversation with heise Security , Kugler noted that he had already informed the company about this in the middle of last month (March 2016). The support only tried to reach the IT department and so far no one has responded.
In a self-started test, heise Security shows that the problem has not yet been resolved.
Source: heise Security
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )