A hacker known as CyberZeist has found that the website of Baidu, the largest search engine in China, and one of Intel, the world renowned semiconductor chip maker, contain cross-site scripting (XSS) vulnerabilities.
We have explained the risks posed by such security holes numerous times, so this time we’ve let the hacker himself detail the dangers that lie behind apparently simple flaws.
“These two XSS are known as Non-Persistent XSS flaws. Though they have low risk factor, but if they are unresolved, this security hole could help a remote attacker to steal accounts by cookie-hijacking,” CyberZeist
“Also the attacker can easily Social Engineer any victim visiting the site into using a crafted URL like www.intel.com/about/[redacted] to steal its account or even trick the site admin to use the same URL, leading to overtaking the whole website!”
He also warns that in certain circumstances, the successful exploitation of such XSS vulnerabilities can lead to “bulk email disclosure.”
The hacker provided us with a proof-of-concept and screenshots that demonstrate his findings. Although the representatives of both companies have been notified regarding the existence of the vulnerabilities, so far they’ve failed to address the issues.
On Monday, we reported
that a hacker found an XSS flaw on one of the subdomains of the website owned by the US Department of Defense (DOD). As it turns out, the same weakness has also been identified independently by CyberZeist.
Unlike Gambit, who also discovered the vulnerability, this hacker decided to report it to the administrators of dod.mil.
“I have reported it and got the reply that they are gonna rectify it,” he told us.
Well, NASA has begun fixing
the large number of weaknesses that affect its websites, so it’s about time that the US government did the same.