XSS Flaw May Exist on Old NY Times Article Pages

Credit: New York Times Company.

(Image credit: New York Times Company.)

Articles on the New York Times website dated before 2013 contain a flaw that could be used by cybercriminals to launch attacks on Times readers, according to Singapore-based security researcher Wang Jing.

Only New York Times article pages dated before 2013 are affected; it appears that after that point, the publication's tech support discovered the issue and fixed it for all subsequent article pages. Still, the amount of traffic generated by older Times articles could make them promising places for cybercriminals to lay their malware traps.

MORE: Should You Trust Facebook with Your Anonymity?

The flaw is a cross-site scripting (XSS) issue, which could let people inject their own code (called client-side script because it comes from the user end, or client side, of the webpage) into New York Times webpages. Any subsequent visitors to those pages would then be affected by the injected code. 

The types of client-side scripts that could be injected via XSS include: session hijacking, phishing, URL redirecting and even browser exploits, i.e. code that exploits an unpatched flaw in a browser in order to download malware to the user's computer. 

As of yet, there are no known cases of criminals exploiting the Times' XSS issue in order to attack users. However, according to Wang, the threat is possible, and the New York Times has a big enough audience that an XSS attack, even via its older articles, could still affect a broad number of users. The affected New York Times articles are still indexed in Google search engines, and are still frequently hyperlinked in other articles.

XSS issues are not entirely uncommon. This past June, Twitter client Tweetdeck suffered an XSS issue that let people simply tweet lines of executable code. If those Tweets showed up in a user's Tweetdeck, the code would execute, creating anything from an annoying popup to advertising spam.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, onFacebook and on Google+.