Mobile
News
1/17/2008
02:20 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Many 'Hacker Safe' Web Sites Found Vulnerable

Computer scientists say that more than 60 sites certified as safe by McAfee's ScanAlert service have been vulnerable to cross-site scripting attacks.

More than 60 Web sites certified to be "Hacker Safe" by McAfee's ScanAlert service have been vulnerable to cross-site scripting (XSS) attacks over the past year, including the ScanAlert Web site itself. While the XSS hole in the ScanAlert site and others have been addressed, some apparently have not been, leaving visitors potentially vulnerable to client-side attacks.

Joseph Pierini, director of enterprise services for the ScanAlert "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server.

Still, Kevin Fernandez and Dimitris Pagkalos, two computer scientists who maintain XSSed.com, a site that has been tracking XSS vulnerabilities since February 2007, provided InformationWeek with a list of 62 Web sites certified as "Hacker Safe" on which XSS holes have been reported. The list includes brookstone.com, cafepress.com, cduniverse.com, gnc.com, mysecurewallet.nl, petsmart.com, and sportsauthority.com, among other familiar brands.

The XSSed.com site tracks whether reported XSS flaws have been fixed, but such information may not be accurate if the site making the repairs, or the initial discoverer of the hole, fails to report the fix.

Fernandez said the sites on his list displayed a "Hacker Safe" badge at the time XSS holes were identified. While some of these vulnerabilities have since been addressed, security researchers report that some sites currently certified as "Hacker Safe" also are currently vulnerable to XSS attacks.

As of Wednesday, Toastmasters.org, a Web site certified to be "Hacker Safe" by McAfee's ScanAlert service, was one such site.

Russ McRee, a Seattle-based computer security researcher, on Wednesday published information on his blog detailing a cross-site-scripting vulnerability that affects the Toastmasters.org site.

Toastmasters International aims to help people overcome their fear of public speaking. An employee of the organization said that no one was immediately available to speak about the group's Web site. Further calls to the organization weren't returned.

McRee said that he alerted Toastmasters that its Web site was vulnerable.

Cross-site scripting is a type of Web application vulnerability. A successful cross-site scripting attack allows an attacker to inject HTML code or client-side scripts into a target Web page.

"XSS vulnerabilities do present a serious risk. However, to date their real-world use has been limited," said Oliver Friedrichs, director of Symantec Security Response in an e-mail. "XSS vulnerabilities can result in the theft of session cookies, Web site login credentials, and exploitation of trust. XSS vulnerabilities are site-specific, and therefore their life cycle is limited; they become extinct once they're discovered and repaired by the Web site owners."

Pierini maintains that XSS vulnerabilities aren't material to a site's certification. "Cross-site scripting can't be used to hack a server," he said. "You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly."

Pierini dismisses the suggestion that certifying a site as "Hacker Safe" when it remains vulnerable to XSS attacks could be confusing to consumers. He insists that the meaning of the certification is clear and notes that his company's scanning service reports the XSS flaws it finds to its clients.

"We definitely identify this [XSS] and we definitely bring this to our customers' attention," he said." And we provide our customers with the information. Our customers are allowed to make the decision where to put their resources. I personally want them to put their resources where they're needed most, in things that can affect the confidentiality, the integrity, or the availability of that system that we're certifying. Cross-site scripting can be used to do a variety of things, but it's all on the client side. And that's an area that we don't have control over."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.