Taking a look at the largest websites on the com.fj domain (Fiji domains) I was surprised that 8 out of the 11 websites I looked at had security flaws that can be detected in about 10 seconds (literally) with just a browser.

These websites were Vodafone, Connect, Fiji White Pages, AFL, Fiji Sun, Air Fiji, Fiji TV, Fiji Times among others.

Those that don’t have apparent security flaws:
Airports Fiji Limited
Air Fiji
Fiji Times

Those that have apparent security flaws:

Telecom Fiji Limited
Vulnerability: XSS, XSRF
Severity: Low
Note: No user accounts to exploit

Vodafone
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges

Connect
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges

Fiji White Pages
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected

Fiji Yellow Pages
Vulnerability: XSS, Blind SQL Injection
Severity: Medium
Note: There are no user accounts so users are not affected. However, the whole database is vulnerable to reading.

Fiji Sun
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected. Attack requires social engineering.

Fiji TV
Vulnerability: XSS, XSRF, SQL Injection
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges. Direct SQL injection can retrieve all user details and possiblity administrative access to the website.

South Pacific Stock Exchange
Vulnerability: Blind SQL Injection
Severity: Critical
Note: Blind SQL injection can blind read the database, and possibly gain administrative privileges.

Now this is quite a disturbing. I only tested two basic exploits, XSS and SQL Injection. The XSRF vulnerabilities are implied when XSS is present and user accounts are present on the same domain.

No need to panic, estimates claim that around 70% of the websites on the internet are vulnerable to XSS. What amazes me however, is that these are large corporate websites, their web developers should know better.

Disclaimer: I am not disclosing any details on the vulnerabilities found on the mentioned websites except the fact that they exists. You’ll have to take my word on it.

Update: As requested by JJ, here’s a look at the FVB website:

FVB
Vulnerability: XSS, Blind SQL Injection
Severity: Critical
Note: XSS can be used to log in as another user, possible gaining administrative privileges. Blind SQL injection can blind read the database, and possibly gain administrative privileges.