Rohit Kapur of Aon’s Cyber Solutions recently discovered a vulnerability in The New York Times’ Virtual Agent. The identified vulnerability allowed an attacker to perform Cross-Site Scripting (XSS) attacks on help desk staff via the chat platform.
The vulnerability was disclosed to the New York Times on May 28th and was remediated within 45 minutes. Aon’s Cyber Solutions would like to thank The New York Times for working with us as part of our coordinated disclosure process to remediate this issue very quickly.