A security researcher that goes by the online handle Flexxpoint found a cross-site scripting (XSS) vulnerability in Microsoft’s main site. The official sites of Dell Australia and Turner Broadcasting System (TBS) were identified as containing security holes by the grey hat hacker team known as BlitzSec.
E Hacking News reports that Flexxpoint discovered the XSS issue in the products page and demonstrated his findings with a simple proof of concept code.
If successfully exploited, the vulnerability could allow a hacker with a malicious plan to steal cookies and even launch phishing attacks.
The same expert recently identified a similar weakness in the official site of Ubuntu (Ubuntu.com).
The other two websites that were appointed as being vulnerable by BlitzSec hackers are also susceptible to XSS attacks.
“Dell.... You should know better than this D: cmmon patch this [expletive] up,” a BlitzSec representative said.
With TBS it’s a bit different. The site was previously named as being easy to compromise by TeamHav0k and its administrators were notified on these issues at the time.
Since the website remained unsecured, cookie stealing, XSS Tunnels, and XSS attacks using Metasplot (XSSF) can be performed by hackers who exploit the high severity flaws.
“TBS you need to implement XSS filters. I was surprised to find this even after TeamHav0k's XSS find on your site, thought you would have learned. Patch up XSS across your whole site, not just the affected page brought to your attention,” a BlitzSec hacker explained.
Lately, the large number of security holes identified by security experts and hackers in the public websites managed by high-profile companies proved that the number of sites that are completely secure is really low.
Hackers are racing to disclose vulnerabilities in sites, but if they keep it up, this will soon become a contest in which the prize will go to those that find a secure domain.