Digea Digital Provider SA is a company set up by private national television channels ALPHA, ALTER, ANTENNA, MACEDONIA TV, MEGA, SKAI and STAR.
7 February 2014 was awarded a successful bidder for all rights to use national and regional coverage radio frequencies. The company's goal was to build the country's digital terrestrial network and complete the transition from analogue to digital television.
By the end of 2013, the company activated 13 broadcast centers across Greece, giving access to the free digital terrestrial television signal over 70% of the country's population.
With the completion of the terrestrial digital switchover, 156 broadcast centers were activated, covering the 95% of the Greek population with a digital signal.
The company's achievements are truly impressive, but according to our well-known researcher Nyo(GHS), the official websiteσελίδα of Digea allows malicious or non-malicious users Cross-site scripting or XSS.
With the term Cross-site scripting or XSS we refer to the exploitation of various vulnerabilities (vulnerabilities) of computer systems withtreatment HTML or Javascript code on a web page. A malicious user could insert code into a web page, through an input text for example, which since it would not be filtered from the page properly, could cause problems for the site administrator or visitor.
Example:
http://www.example.com/index.html?name=
The malicious user could:
Trap bills and personal data
Change website settings
Stolen cookies
To upload false advertisements, through some link
Vulnerability refers to the system's inability to filter and reject any harmful inputs.
Check out the screenshots that Nyo sent us
According to the researcher, he published the XSS in response to the video "MEGA - DIGEA threatens with black!"
The video states that "according to information, the Board of Directors of Digea has decided to weaken the station's signal despite the fact that negotiations are underway between shareholders and banks to find a solution. This means that either a "broken" image will be displayed with pixels, or a "frozen" image and only sound is heard. "
https://www.youtube.com/watch?v=FCw3mzqefjg
He also says that XSS was not publicized to support a private channel but the end-user viewer.
XSS affects the whole page through javascript and can deform it completely.
SecNews.gr is available to everyone from the Digea.gr management team for details of the vulnerability.