The hacker that goes by the name of Gambit has identified non-persistent cross-site scripting (XSS) vulnerabilities on a number of important sites, including the US Department of Energy (doe.gov), Minute Workers, NASDAQ, US Office of the Secretary of Defense (osd.mil), NASA (starbrite.jpl.nasa.gov), Canadian media company CBC, and EA.
Non-persistent cross-site scripting vulnerabilities are not as dangerous as persistent ones, but that doesn’t mean webmasters should not address them to protect their customers from attacks that rely on social engineering.
In some cases, Gambit has identified more than one vulnerable subdomain.
The hacker told Softpedia that all the security holes were reported to the affected sites’ webmasters, but so far none of them had responded to his notifications.
However, one of the affected domains, the one Electronic Arts has dedicated to the Burnout Paradise game, displays a “server maintenance” notification, which may indicate that some work is being done to the site.
According to the hacker, NASA has responded to his notifications. The report has been forwarded to the agency's security team.