The injected JavaScript can access the session cookies from Vodafone website and send them to a server. An attacker can take over the session of the logged in Vodafone customer.
Hackers Could Execute The Code Of The Website
This is extremely dangerous because the browser executes the code of the vulnerable website and thus gives it access to all of the website’s resources. The code can manipulate the website in any way and can eavesdrop on keystrokes. A keylogger would be conceivable that spies on Vodafone customers when they enter their password. It is also possible to exploit security gaps in browsers and to spread malware. Often, these attacks target the victims session cookies: the code can use the document to retrieve all cookies that the browser has stored for the vulnerable website.
In the case of Vodafone, it would most likely have been possible to view data and invoices and even set up call diversion. This is a common method of making quick payments: attackers divert numbers to expensive premium ones and earn money with the connection costs. The victims often only notice the fraud with the next phone bill, which is very high. The customer’s mail are also attached to the Vodafone account, so taking over additional accounts would have been conceivable. To do this, the attacker would only have to trigger the forgot password section on another service that the Vodafone customer uses.
No security policies were active on the website at the time of going to press. Apparently, the company is optimistic that in future it will reliably appear a code that has been smuggled in from the outside before it is executed. The provider adds that the company does not have any indications of abuse from this closed vulnerability. Why the vulnerability was discovered in this prominent part of the website that was closed several weeks after it became known remains unclear.