Gallup Addresses XSS Bugs in Website

Researchers flagged a pair of Gallup site XSS vulnerabilities.

Becky Bracken, Senior Editor, Dark Reading

September 10, 2024

2 Min Read
Gallup Organization sign
Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

Editor's Note: Dark Reading has become aware that a portion of the original Checkmarx research on these vulnerabilities is in dispute, prompting us to retract sections of our reporting below.

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company's website that left it vulnerable to misuse by malicious actors.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

The flaws do not impact any of Gallup’s internal data or polling.

Gallup's Cross-Site Scripting Vulnerabilities

In the case of the first reflected XSS flaw, the researchers found that "the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page."

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.

A third update was made at 1:03PM ET on Sept. 12, 2024, to remove sections of the article that were based on now-disputed portions of the original Checkmarx blog.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Becky Bracken, Senior Editor, Dark Reading

See more from Becky Bracken, Senior Editor, Dark Reading
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

Editor's Choice

A filing cabinet folder labeled "Startups"
Cybersecurity Operations
When Startup Founders Should Start Thinking About CybersecurityWhen Startups Should Think About Cybersecurity
byNate Nelson, Contributing Writer
Sep 12, 2024
6 Min Read
Black background and white text saying Dark Reading Confidential
Vulnerabilities & Threats
Dark Reading Confidential: Pen Test Arrests, Five Years LaterDark Reading Confidential: Pen Test Arrests, Five Years Later
byDark Reading Staff
Sep 10, 2024
42 Min Listen
Yellow spider with black stripes and black and yellow legs perched on a web
Сloud Security
Socially Savvy Scattered Spider Traps Cloud Admins in WebSocially Savvy Scattered Spider Traps Cloud Admins in Web
byElizabeth Montalbano, Contributing Writer
Sep 12, 2024
4 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events