As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company’s website that left it vulnerable to malicious actors.
Both flaws presented the opportunity for adversaries to perform actions on behalf of users, which could be used to manipulate Gallup polling and research outcomes. These weaknesses are particularly concerning heading into a US election season that is already being widely targeted by misinformation. Just this week, for instance, the US Department of Justice accused Russia of a $10 million disinformation campaign that sought to barrage social media with enough bad information to sway the presidential election in November.
Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.
“In an era where misinformation and identity theft pose significant threats, the security of survey platforms is crucial, particularly during pivotal global election cycles,” the Checkmarx team wrote. “Gallup, the leading survey company, quickly addressed security vulnerabilities that could be exploited to facilitate the dissemination of false information and compromise the personal data of users.”
Gallup’s Cross-Site Scripting Vulnerabilities
In the case of the first reflected XSS flaw, the researchers found that “the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page.”
Exploitation of the vulnerability could allow malicious actors to execute code in the targeted user’s navigation session to perform various actions on their behalf, the researchers added.
“It’s important to note that this endpoint is commonly used to access Gallup surveys, which may make users more susceptible to exploitation,” the Checkmarx team wrote. “This could lead to unauthorized access to personally identifiable information (PII), manipulation of user preferences, and other detrimental actions.”
In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page, giving a malicious actor another opportunity to perform tasks disguised as the target users and even take over the account altogether.
To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.
“The prevalence of misinformation was identified as the top global risk in 2024 by the World Economic Forum’s ‘Global Risks Report 2024,'” Checkmarx vice president of security research Erex Yalon says. “[It’s important to] secure software that is prone to exploits of malicious actors, educate and close the knowledge gap, and hopefully safeguard the integrity of the election process.”
https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltf952dafa8434c588/66d8bbd6eb910ac09f0fc1e9/gallup_organization_Kristoffer_Tripplaar_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop
