A Belgian security researcher discovered a vulnerability on the website of Vatican News, the official news site for the Holy See.
First discovered by an Inti De Ceukalaire, the flaw was caused by an unpatched cross-site scripting (XSS) vulnerability which allowed anyone to exploit and create fake news on the site.
De Ceukelaire said he had warned Vatican News about the issue on nine separate occasions. The webmaster of Vatican News read his emails but the publication failed to resolve the issue. For this reason, De Ceukelaire forced himself to disclose the issue by posting a tweet to his followers.
He tweeted a picture of Vatican News falsely stating that Pope Francis had declared God to be an onion.
GOD = AALSTENAAR. Niet mijn woorden, die van de paus. Merci, @Pontifex! LINK: https://t.co/GbOQrr2NJg (1/2) pic.twitter.com/FsvVeniycg
— Inti De Ceukelaire (@intidc) February 8, 2018
“I saw the Vatican had a new website a while ago. Whenever a huge website launches a new communication platform, I check it out. I want to see what technologies or software they’re using, how they follow design trends and whether they have innovative features. I don’t necessarily look for vulnerabilities, but this one was pretty obvious,” he explained.
“Two weeks ago, I told them that if they would not state they were going to fix this, I’d do responsible full disclosure. Not to harm them, but to show that fake news can easily be spread. Pope or not, you need to comply with security standards,” he argued.
Previously, De Ceukelaire was also behind some high profile flaw discoveries.
One of which was in September, when he disclosed ways to access corporate messaging apps like Slack and Yammer by exploiting publicly-accessible help-desks and bug trackers.