The grey hat called Freedom returns with some interesting finds

Feb 27, 2012 08:22 GMT  ·  By

Freedom, the grey hat hacker that in the past period identified a lot of cross-site scripting (XSS) vulnerabilities in some important websites, returns with other interesting finds. He discovered a number of 25 online shops from the United Kingdom containing XSS security holes. The worrying thing is that all of the sites bare Verisign Trusted, Internet Shopping is Safe, Internet Delivery is Safe, Verified by Visa, and MasterCard SecureCode logos.

“25 of these big sites all run the same script and it was not hard to find them all using a home made ‘Google dork’. They try to filter the search on the main pages but then when you search for something that is well not there it then allows you to search again and this one has no limit to characters and very lil filtering,” the hacker told us.

“A person with 5 mins of looking at XSS could make these sites fall to the knees and well do alot of damage to the reputations of these sites.”

Freedom provided us with screenshots to prove that the vulnerabilities exist in sites such as House of Fraser, Jacamo, Fashion World, Premier Man, Williams and Brown, Marisota, Ambrose Wilson, Viva la Diva, Fifty Plus, and High and Mighty.

Similar XSS flaws were found in the online shops like JD Williams, Heather Valley, Classic Confidence, Nightingales, Simply Yours, That’s My Style, Home Essentials, Oxendales, Naturally Close, House of Bath, Classic Detail, The Briliant Gift Shop, Crazy Clearance, Feel Good Essentials, and Simply Be.

A 26th site that was found to be vulnerable is ASDA Direct (direct.asda.com), but this one is covered separately because it doesn’t display any logos that guarantee shopper safety.

“It is just another example of how they are leading the users in to a false seance of security. I think the script these sites are using where coded by 5 year old kids. I have never in all my time found a script so poor been used by so many big brands,” he added.

“But it tells me one thing they are all copy cats and think ‘ohhh well if they use it, it must be secure’ and don't get it checked over, just slap it online and let users use code that is well pants.”

Some may argue that these security measures are designed to secure the users’ private information when purchasing something from the site, but administrators should never overlook the simple flaws that can exist on their domains.

“I mean OK, I just looked on ‘ www.verisign.co.uk’ and there prices range are ‘ehhh WOW’. Would not want to think I was paying that so I ask one question if you have the money to pay for that why let the script let you down,” Freedom further mentioned.

“And from what I’m seeing is coz these companies like to look the part but when it comes down to it are a letdown for users. Also users need to understand that just because you’re going to a site that has a stamp saying safe or is https it don't mean its secure,” he concluded.

Photo Gallery (3 Images)

XSS found on High and Mighty
XSS found on House of FraserXSS found on Marisota
Open gallery