Researchers at Checkmarx recently conducted critical Cross-site scripting (XSS) vulnerabilities on the website of polling agency Gallup that they say could have been used by malicious parties to gain access to the research agency’s platform.
The research Notes XSS is a vulnerability that could allow attackers to gain “complete control over an application’s functionality and data,” especially if the impersonated user has been granted privileged access.
By allowing arbitrary code execution, the vulnerability could even have allowed attackers to add unauthorized items to users’ shopping carts (as the site also sells customizable surveys and books).
Risk of misinformation
The vulnerabilities were discovered in June 2024, but have since been fixed – but at a time when reliable and secure information is so important, particularly regarding political opinions, the fallout from the flaw could have been severe. It is possible that a malicious party has placed fake poll results or information on the site, the Checkmarx team confirmed.
“In an era where misinformation and identity theft are major threats, the security of survey platforms is crucial, particularly during crucial global election cycles,” the report said. “It is important to note that this endpoint is often used to access Gallup surveys, which can make users more susceptible to abuse.”
The 2024 election campaign has seen an exceptionally high rate of misinformation and attempted election meddling. Therefore, it is important for influential or prominent companies to ensure the security of their sites to keep information safe.
Web defacement is a relatively common practice for hackers to spread their message or embarrass site owners, but in this case the information could have easily been disguised as legitimate, with the intent of influencing voters. In a remarkably close election, swing state votes are particularly important, so potential vulnerabilities should be closely monitored.