Digea Digital Provider S.A. is one company established by the national private TV channels ALPHA, ALTER, ANTENNA, MACEDONIA TV, MEGA, SKAI and STAR.
On February 7, 2014, it was declared the winner for all the rights to use radio frequencies for national and regional coverage. The company's goal was to build the country's terrestrial digital network and complete the transition from analog to digital television signal.
Μέχρι το τέλος του 2013 η εταιρεία ενεργοποίησε 13 κέντρα εκπομπής ανά την Greece, δίνοντας πρόσβαση στο ελεύθερο επίγειο ψηφιακό τηλεοπτικό σήμα σε πάνω από το 70% του πληθυσμού της χώρας.
With the completion of the terrestrial digital switchover, 156 broadcast centers were activated, covering the 95% of the Greek population with a digital signal.
The company's achievements are impressive, but according to our well-known researcher Nyo (GHS), the official website of Digea allows malicious or non-malicious users of Cross-site scripting or XSS.
Cross-site scripting or XSS refers to the exploitation of various vulnerabilities of computing systems by inserting HTML or Javascript into a web page. A malicious user could enter code on a webpage through an entry text for example which, having been filtered from the page correctly, could cause problems for the site's administrator or visitor.
Example:
http://www.example.com/index.html?name=
The malicious user could:
Trap bills and personal data
Change website settings
Steal cookies
Raise false ads through a link
Η vulnerability refers to the system's inability to filter and reject any harmful inputs.
Look at them screenshots sent to us by Nyo
According to the researcher released the XSS as a response to video "MEGA - DIGEA threatens with black!"
The video states that “according to information the Board of Directors of Digea has decided to proceed with weakening the station's signal despite the fact that negotiations are ongoing between shareholders and banks to find a solution. This means that either a "broken" image with pixels will be displayed, or a "frozen" image and only sound will be heard."
https://www.youtube.com/watch?v=FCw3mzqefjg
He also says that XSS was not publicized to support a private channel but the end-user viewer.
XSS affects the whole page through javascript and can deform it completely.
That's it SecNews.gr είναι στη διάθεση κάθε ενδιαφερόμενου από την διαχειριστική team of the Digea.gr page for details of the vulnerability.
