Ngee Ann Poly Student Discovered & Reported IT Vulnerability In Universal Studios Singapore Website; Not Even Acknowledged For His Efforts

Taufiq Mohammed, a Ngee Ann Polytechnic second year Information Security student discovered a serious vulnerability in the Universal Studios Singapore game contest website. He found a Persistent XSS vulnerability in the website, tested it out before very kindly informing the IT department of USS.

Unfortunately, not only did Taufiq not receive a thank you for his civic-mindedness, there was nary a reply from the USS IT department. When Taufiq tried to replicate the exploit a few days later, he realised that it had been fixed quietly. Guess the IT department received his email afterall but very rudely chose not to acknowledge his valiant efforts.

It had been 3 days and I hadn’t gotten a reply from them. So I went ahead to check if the vulnerability was patched. I tried submitting the same name as mentioned above and when it was displayed back to me from the leaderboard, the tags were removed.

From what I could infer, their solution probably involved the server performing HTML sanitization on the name. Guess the vulnerability was fixed :).

Hopefully this shout out would give Taufiq the due credit he deserves and shame on you Universal Studios Singapore (USS). Coming on the back of Singapore’s most serious hacking incident, USS should have done better than to cover things up isn’t it?

Editor's Note: Do you have a story to share? Please use our Submission Form or email us.
If not, why not give us a 'LIKE'
  Ping me on WhatsApp