14 DAY TRIAL // CyberZeist, a hacker part of the UGNazi hacker collective, has made available a number of cross-site scripting (XSS) vulnerabilities that affect the websites of Discovery Channel, CNN, New York Times, US Army’s Medical Regiment, and the National Guard. He claims that the proof-of-concepts have been published after he had already made good use of them.
“These types of XSS just look Ordinary but are real hard to find and very valuable from an exploiters' point of view. While working with UGNazi, we have used these types of flaws to hack the account of some very important personalities!” he explained.
“The importance of these vulnerabilities is hard to overlook. It’s also an interesting point that such type of vulnerabilities also exist in High Profile sites like Yahoo, Paypal etc, and are being sold in the underground black market for a fair amount of price!”
This is not the first time we publish a report on XSS security holes. However, this is the first time the hacker actually claims to have exploited them.
“These XSS were released by me because I have gained what I wanted to gain from these flaws, these XSS have become pretty useless for me now. But still I have Yahoo and PayPal xss and I will be releasing them soon once my work is over with them!” CyberZeist said.
On the other hand, the hacker apparently contacted all of the affected sites to tell them about the weaknesses.
“Also I have reported these XSS to the respective website owners, and they will be fixed soon!” he concluded.
While it may be true that the webmasters of these sites might patch up these issues, at press time the flaws could still be exploited, which is why we will not be providing a link to the actual POCs.
