'Hacker Safe' Certified Sites Home to Hackers
Over 60 Internet sites authorized as being "Hacker Safe" by the ScanAlert service by McAfee have been found defenseless against cross-site scripting (XSS) strikes during the last one year, said ScanAlert's own site.
Although the XSS flaw in the ScanAlert website along with some other sites has been fixed, a few obviously haven't been, making users presumably exposed to client-side strikes.
Computer scientists Kevin Fernandez and Dimitris Pagkalos maintaining the website XSSed.com, which has been following XSS flaws since February 2007, furnished InformationWeek with a listing of 62 Internet sites qualified as "Hacker Safe" on which XSS flaws have been notified.
The list contains the websites of brookstone.com, cduniverse.com, cafepress.com, to mention with the most recent add on being toastmasters.org that also has a XSS flaw under the protection of being 'Hacker Safe'.
In spite of that, a spokesperson from ScanAlert (taken over by McAfee) and Symantec gave some very odd explanations, to Joseph Pierini, Director of Enterprise Services at ScanAlert's "Hacker Safe" software, asserting that XSS flaws cannot be exploited to attack a computer, as reported on January 20, 2008 by Blogspot.
Pierini asserts that XSS flaws aren't relevant to a website's authentication. Pierini in another statement reported on January 17, 2008 by InformationWeek told that it might be possible to accomplish other things with the flaw, like infecting the user or the customer. But the client data secured within the computer, in the database, will not be immediately affected by a cross-site scripting strike.
Pierini rejected the idea that authorizing a website as "Hacker Safe" when it continues to be susceptible to XSS assaults could be puzzling to users. He maintains that the significance of the certification is apparent and explains that his firm's scanning service notifies all the detected XSS vulnerabilities to its customers.
According to Oliver Friedrichs, Director of Symantec Security Response, the XSS flaws actually pose a grave danger, though up till now, their real life application has been restricted, reported Blogspot on January 20, 2008. As per Friedrichs, XSS flaws can result in stealing of session cookies, site access credentials, and misuse of trust.
Related article: “Loopholes did not cause online banking thefts”: ICBC
» SPAMfighter News - 29-01-2008