14 DAY TRIAL // Websites belonging to no less than six antivirus vendors have been found to suffer from cross-site scripting weaknesses that could facilitate phishing attacks. Most of these companies were faced with similar flaws affecting their online resources in the past.
A grey-hat hacker, going by the name of Methodman, who seems to have specialized in finding XSS vulnerabilities in high-profile websites, has just announced another hit. More specifically, he has disclosed cross-site scripting flaws in eight websites operated by six antivirus vendors: Symantec, Kaspersky, AVG, Eset, F-Secure and Trend Micro.
As Methodman, who is a member of a group of security enthusiasts and programmers called Team Elite, points out, some of these companies have been warned about similar vulnerabilities in their websites on different occasions, yet no changes in code review practices seem to have been operated. What is even more baffling is that these companies are selling security products to others and are tagging websites compromised through such flaws as malicious.
Just to give an ironic example, here is why you need a product called LinkScanner, which is developed by AVG – "There are millions of poisoned web pages out there. They can live on familiar, big-name sites – and they can come and go within hours. Just clicking on one can get you into trouble. You can end up losing your money, your identity and your most precious digital memories," the company says.
That might certainly happen, considering that even linkscanner.avg.com, this product's home page, is vulnerable to cross-site scripting, as Methodman demonstrates. A valid, yet maliciously crafted URL to linkscanner.avg.com could certainly add to the credibility of malware distribution or phishing e-mails.
But let's not single out AVG here. Symantec has three websites that allow attackers to inject malicious IFrames or prompt rogue JavaScript alerts. Kaspersky has similar problems with pages from its support.kaspersky.com and support.kaspersky.ru websites. That's really worrying, because, just a month ago, we reported a different cross-site scripting weakness, also discovered by Methodman, in the latter.
ESET and F-Secure, which have also been found to operate vulnerable websites, are not at their first incident either, just as AVG, Symantec and Kaspersky. On the other hand, Trend Micro is a newcomer on the XSSed list, at least on the one maintained by Methodman. Though, as past examples stand to show, we're sure more flaws are just around the corner. All new cross-site-scripting weaknesses disclosed by Methodman were still active at the time of writing this article, as demonstrated by the screenshots we took ourselves.
