Freedom, the grey hat hacker we met a few days ago, returns with some interesting finds. He managed to identify a couple of cross-site scripting (XSS) vulnerabilities in the official sites of the popular retailers TESCO and Comet.
The first security hole was identified on TESCO’s site,
tesco.com.
“This was again a very easily found issue but could be abused. For a site of its popularity you believe the security would be even in the slightest secure. I have seen multiple scripts (free) with better secuirty than TESCO,” the hacker told us.
The grey hat provided screenshots to prove the existence of the flaws on both sites.
“This had a very easily got around filtering system which blocked you from inputting more than 30 chars but if you searched something ‘prohibited’ it would then allow you to search over the restricted number of chars and also input quite simple html which could easily be abused,” Freedom said about Comet’s website.
He also discovered some minor flaws in scripting on the sites of Henleys (henleys.co.uk) and Chanel (chanel.com).
Find us on Google+
