14 DAY TRIAL // Gambit, who recently reported a couple of vulnerabilities on the sites of AOL and Cisco, returns with another find. He discovered that Start Page (startpage.com) doesn’t filter user input strings, making the site susceptible to cross-site scripting (XSS) attacks.
The hacker contacted the administrators of the site that’s advertised as being “the world’s most private search engine,” but as it turns out, they failed to respond.
“Well yet again admins wish to not address security issues... It turns out the popular search engine for security conscious people is vulnerable to XSS,” Gambit explained.
“It has been a week since I contacted them about this and *gasp* no response... There are multiple ways in their search engine to generate both self and reflective XSS.”
As the screenshot provided by the hacker demonstrates, by relying on social engineering techniques, a cybercriminal could leverage the security hole to launch phishing attacks and other malicious operations.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.