Some time ago, a hacker known as Gambit identified a number of cross-site scripting (XSS) vulnerabilities that affected the official website of the world renowned information technology corporation HP.
He immediately contacted TippingPoint’s Zero Day Initiative (ZDI) to ensure that the security holes were properly addressed without the risk of falling into the wrong hands.
Since ZDI didn’t provide much feedback, he took his findings directly to HP, hoping that they would proceed to secure their site.
“These were reported to HP and they told me they passed it up to the web admins, so I figured I would share the finds. I wouldn't have been able to get one of these without the help of my good friend ’quirmyBeast’,” Gambit said.
He reveals that HP representatives took his findings seriously and have already started to patch up the weaknesses.
“It seems as though they fixed one vuln and have taken down one of the other vulns sites all together (may be a temp thing),” he explained.
The screenshots he provided demonstrate how a hacker with a malicious plan could exploit the XSS flaws to cause some serious damage, if he could convince users to click on cleverly crafted links.
Of course, as real situations demonstrated many times before, the social engineering part is not that hard to accomplish. Malevolent links are placed in phony emails all the time and the rate of success they record is high.
In order to better understand the dangers of these XSS vulnerabilities, imagine that the small pop-up that says “error”, seen in the screenshot, is replaced with a larger window that requests credit card credentials or other sensitive information.
Because the legitimate HP site is running in the background, the unsuspecting victim may believe that the window that asks for the private data is also genuine. Furthermore, the phishing page may not even be required if a cookie-stealing script is triggered instead.