A relatively new hacking collective, TeamHav0k, launched an operation called “#OP XSS” in which they try to find cross-site scripting (XSS) vulnerabilities in major websites. The first results of the operation came in and it turns out that a lot of important sites contain the flaw the hackers were looking for.
A Pastebin document reveals that websites such as the ones belonging to Verizon, Huffington Post, European Organization for Nuclear Research (CERN) , Electronic Arts (EA), IGN and New York Times contain some design flaws.
Some education institutions were also found to contain XSS security holes, including University of Illinois, Harvard, Yale and Rockefeller University.
Telecoms company Verizon, media hosting company ImageShack, value calculator and traffic estimator tool StatShow, Major League Gaming, and Dr Pepper complete the list.
Even though XSS vulnerabilities are among the most common ones found in commercial websites, this doesn’t mean they’re not dangerous. Cybercriminals can rely on these weaknesses to execute their own malicious codes and cause damage to the virtual assets of unsuspecting Internet users.
Fortunately, some web browsers protect their customers against these attacks. For instance, Internet Explorer 8 and Internet Explorer 9 display a warning message to reveal that the page is modified to prevent cross-site scripting.
Google Chrome also mitigates the attack, but Opera and Mozilla Firefox fail to do so, leaving their users exposed.
Major websites, such as the ones mentioned before, should really put an effort into securing their domains against these common flaws. Because of the large numbers of visitors they have each day, hackers could use them for malevolent purposes.
Since TeamHav0k didn’t take advantage of the flaws, we can only assume that they’re a group of gray hats whose main purpose is to alert website administrators of existing vulnerabilities. We have tried to contact them to learn more about their mission and their purposes, so stay tuned for more details.
Find us on Google+
