A hacker discovered a flaw in the firm’s web system that could allow them to easily steal millions of customer login details.
TalkTalk is facing renewed calls to improve its cybersecurity after an anonymous hacker contacted Sky News about a website flaw that went unfixed for years.
The hacker – known as “B” – found a “Cross Site Scripting” error allowing him to take control of a convincing looking “talktalk.co.uk” URL, which meant he could potentially trick any of the company’s webmail customers into thinking they were accessing an official TalkTalk website.
He then showed us through a secure demonstration how easy it would be to steal a victim’s login details, and any other sensitive information, if he could get the individual to click on the link.
This could be done, he suggests, through targeting customers with email phishing techniques, or by circulating his own link around tech support forums or social media.
TalkTalk fixed the flaw this week after Sky News got in touch, but it has come to light that the company was first alerted to the bug through a so-called “bug bounty” platform in March 2016.
Bug bounties are rewards or cash given to hackers who alert companies that their website is vulnerable to attack.
Speaking before the flaw was fixed, the hacker told Sky News: “The vulnerability is worryingly easy to locate. The vulnerable page and parameters can be identified within seconds of looking at the website.
“After initially identifying it, we also discovered that it was submitted to a bug bounty platform in 2016. Relevant notification was issued to TalkTalk and we’ve made multiple attempts to get them to fix it.
“What I can’t understand is why such neglect is applied to TalkTalk’s website security. TalkTalk’s website has a history of vulnerabilities. One would assume that after the attack in 2015, they would pay more attention to the state of their security.”