14 DAY TRIAL // Gray hat hackers usually say that they find vulnerabilities in websites and make them public with the purpose of forcing administrators patch up their security holes. The group called TeamHav0k is doing just that, revealing flaws in sites such as GEICO.com, Shockwave.com, Register.go.com and Gamefly.com.
GEICO, an insurance company, Shockwave, a gaming website, Register, a site that deals with Internet Information Services (IIS), and Gamefly, a gaming vendor, were all found to contain cross-site scripting (XSS) vulnerabilities.
“Here's another list of XSS. Admins of these sites please install good XSS filters because someone may use these for their own gain, yes they are non-persistent,” the hackers said.
“But if the attacker has the proper knowledge of XSS (which it seems very few people have and web-admins are oblivious to) they can easily with a little SEing do a full OS compromise and from there open a backdoor to the victim’s computer.”
TeamHav0k publicly discloses many vulnerabilities hoping that administrators act on addressing them. Unfortunately, many remain unfixed for long periods of time, some even being exploited by black hats to serve their own malicious purposes.