Even the big kids make mistakes, VeriSign, McAfee, and Symantec websites are all vulnerable to XSS attacks according to a recent report from XSSed. The report lists several examples of vulnerabilities found in more than one location on their respective domains.
Three security powerhouses vulnerable to XSS. (IMG:J.Anderson)
Now, of the examples mirrored in the XSSed article, most have been fixed. It is important to note that yes, there is a risk of issues abusing trust, but you have to remember that these sites are respected giants in IT security. Not respected companies, but brands and names that are so known that it would be hard to shake the confidence the public has. The issue with the XSS avenues that are still valid is that someone can exploit them and use them for malicious means. To date there have been no reports of infections on these sites.
When it comes to McAfee, the news of XSS vulnerabilities is nothing new. Their “Hacker Safe” program has been proven flawed because it does not offer XSS protection, that and the quote from Cresta Pillsbury, where it is explained that Scan Alert goes in “Um… we go in like a super hacker…” (YouTube: http://tinyurl.com/5bkknp) Really the super hacker comment is a story all on its own.
The XSSed article details eight vulnerabilities on McAfee’s domain, seven of which are fixed, and comments, “Building user trust just with evil marketing is not the correct way forward! You do knowingly deceive online users with fake promises concerning their privacy and security. How is this for a business plan? Deliberate deception techniques like yours are only used for the sake of profiting from increased sales. We are still receiving on a frequent basis many XSS vulnerable "Hacker unSafe" web sites.
It is an embarrassing fact that your site is also vulnerable!”
VeriSign has five flaws, two of which are already known and have been covered online. “Many high profile sites are "VeriSign Secured" (allow me to have my doubts here) and VeriSign’s own one unsecured? Just wonder how easy it would be for the bad guys to phish your clients or their customer base - I don't think that they are all aware of the risks imposed by XSS vulnerabilities,” Dimitris Pagkalos wrote in his article. (See update below -ED.)
When it comes to Symantec, XSSed has their own beef with the security company. Symantec blacklisted the website for awhile because they host mirrors of XSS examples on their site. Out of seventeen XSS issues located on Symantec’s domain, ten have been corrected.
Mirrors of each of the exploits as well as the original article are here:http://tinyurl.com/4wpab2
UPDATE:
"I wanted to let you know that VeriSign took immediate action to fix the issues highlighted in the XXSed clip. As of yesterday, all of the issues have been fixed. These security vulnerabilities were minor and did not grant any access to VeriSign systems or customer data," a VeriSign spokesperson told Tech Herald in an email this evening.
There was no doubt that they would fix and address these XSS issues. Even if they were minor, they were XSS problems and needed fixed. VeriSign sat down with TTH during RSA. From the meeting, it is clear that they are serious about security. The XSS problems simply prove no one, not even VeriSign, is immune.
"All Web sites are potentially vulnerable to XSS attacks, which can be remedied by ongoing Web application scans. A site that is "VeriSign Secured" means that the site's authenticity has been confirmed by VeriSign and that the information entered into a transactional page is encrypted, which establishes a secured session. To ask why this does not address an XSS attack would be like asking why a "VeriSign Secured" site did not prevent social engineering, a virus outbreak, a DOS attack, etc.," the email added.
This is true, and during an interview with VeriSign, I did ask that question. (Why didn't they check for and enforce stricter code standards on EV SSL sites.) Maybe I was out of line, but I’m not the only one who pondered that thought. VeriSign should not, would not, and cannot move out of their role as an identity-based security company. EV SSL is nothing more than something that proves the site is who they claim to be, and will not prevent XSS attacks. Sites with EV SSL differ from those with Hacker Safe. VeriSign Secured is not the same as Hacker Safe, nor was it ever indented to be. For the record, at no time does VeriSign claim that EV SSL prevents these types of flaws on a site.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)