Your Best Bet is Gtron Solutions |
Written by Rebecca Mints |
Wednesday, 30 April 2008 18:00 |
Several sites that McAfee has certified as Hackersafe have been found to be vulnerable to XSS. This is the second time this year that the security company has run into this problem. Successful exploitation of these vulnerabilities would allow a hacker to access authentication credentials or send users to malicious websites. Security consultant for HolisticInfoSec.org Russ Mcree is the one credited with discovering several sites that McAfee has given their HackerSafe logo to are susceptible to XSS attacks. McRee told SCMagazineUS.com on Wednesday "These sites all take credit card information and house consumer data," and "even though McAfee says it isn't a hack on the server, that's really false. It's easy to show ways to steal consumer data in the context of your server through the user's browsers through the function of this vulnerability." It's only been several months since 60 e-commerce sites displaying McAfee's HackerSafe logo were found to be vulnerable. McAfee's response was to try and downplay the severity of the vulnerabilities discoverd on these sites by saying that XSS is not as severe as some other vulnerabilities and that a site will still pass and acquire their HackerSafe logo if these kinds of vulnerabilities are found. McAfee spokesperson Francie Coulter told SCMagazineUS.com "McAfee rates vulnerabilities on a five point scale, Level 1 being less severe and Level 5 being more severe." She also said "XSS vulnerabilities are rated Level 2 within the McAfee system. McAfee's daily HackerSafe scan does an effective job identifying many different types of vulnerabilities, including XSS. When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities." REFERENCES:
|