Vatican News, the Vatican’s official news website, today shared a news that says Pope Francis has recognized the unimaginable: God is an onion.
As usual, the ‘joke’ probably didn’t sit well with the faithfuls, the truth is that it could have been much worse. The false news is the work of Inti De Ceukelaire , a Belgian security researcher who is already famous for finding bugs in Slack or redirecting links in the tweets of Donald Trump himself.
On this occasion, De Ceukelaire has found an XSS vulnerability in the Vatican News code. The bug allows you to inoculate any malicious code on the page and use it to, for example, redirect the web to a malicious content. It is not the worst type of XSS that exists, but it can be a problem.
The most serious part of the incident is that De Ceukelaire is an ethical hacker. He discovered the ruling some time ago and communicated it privately to the Vatican without making it public. Nobody answered or resolved the ruling, so the programmer made it public with a little humor.