Sri Lankan popular daily deal website MyDeal.LK is having a cross site scripting vulnerability. Because of the vulnerability an attacker can craft a URL that contains a malicious script to be executed on a unsuspecting victim who thinks he is visiting MyDeal.LK.
The vulnerability exists in the “deals.php?id=[id]” parameter. Where an attacker can inject a malicious script like this :
http://www.mydeal.lk/deals.php?id=%5Bid%5D”><script>EVIL SCRIPT HERE</script>
The attacker can replace the EVIL SCRIPT HERE with a malicious script that’ll look for an exploit in the victims computer that can be used to gain access to the computer, it can be used to give a drive by download to the victim or the attacker can steal information like session cookies of the admins that can be used to gain access to the website.
I’ve reported the vulnerability to MyDeal.LK. Hope they will fix the vulnerability soon. The best way to keep yourself protected is not to click on links that are from suspicious sources.