XSS Vulnerabilities Discovered on Eset, Panda and Symantec
A group of White-hat hackers namely Team Elite has discovered XSS (cross-site scripting) flaws of different degrees of seriousness on the online sites belonging to Panda Security, Symantec and ESET. The group notified each of the 3 companies about the problem in order that they may sanitize their websites at the earliest.
States Team Elite that these flaws are capable of causing dangerous and severe phishing attacks. According to it, XSS vulnerabilities are a result of inappropriate activity during coding, which may generate malware such as scripts, worms and other malicious programs that clandestinely enter computers to proliferate bogus e-mails. Essentially, these flaws fuel phishing assaults, the hackers' group notes. Spywared published this on October 5, 2010.
A member of Team Elite elaborated that XSS flaws imposed high risk and attackers exploiting them could capture sensitive information like account login details as well as other credentials. He emphasized that his team didn't execute this kind of activity and they didn't invade any website. They, rather, produced proof-of-concept and created widespread awareness about existing flaws in order that the affected firms could fix the problems for their own benefit, the member stated. Net-security published this on October 4, 2010.
Meanwhile, reports reveal that no one has yet misused the latest vulnerabilities prior to their patching. That's because all the 3 security companies have ruled out any exploitation of those bugs impacting their websites. Moreover, there wasn't any damage done either, to the sites since the companies corrected the flaws within time. Net-security reported this.
In one precautionary statement, the security researchers said that Panda Security, ESET and Symantec must all be particularly watchful and lead in maintaining online security, an area they specialized in. However, experience and time indicated that XSS issues were very common much so within the market of data security providers.
Also, it's worth noting that during September 2010, a notorious virus, namely 'onMouseover' abused XSS vulnerability on Twitter.com. Together with this website as well as the aforementioned security companies, cross-site scripting vulnerabilities have been observed afflicting PayPal, eBay and Security American Express websites too in October 2010.
Related article: XSS Bug Remains the Worst Infection for Sites
» SPAMfighter News - 19-10-2010