A Romanian security researcher has discovered multiple cross-site scripting (XSS) weaknesses in several localized MSN websites, which allow for session cookie hijacking and IFrame injection.

The bugs were discovered on various websites hosted in sub-sections on ca.msn.com, fr.msn.com, be.msn.com and fi.msn.com.

Cross-site scripting weaknesses are the result of failure to properly sanitize user input in forms or parameters being passed to dynamic scripts.

XSS flaws can be of several types, with persistent ones being the most dangerous, because they can be exploited to make permanent changes to the Web page.

In this case the vulnerabilities were non-persistent or reflected, which means that a successful exploit requires tricking victims into opening a specially crafted link.

The Romanian security enthusiast who found the MSN bugs goes by the online handle of d3v1l and seems to specialize in identifying XSS weaknesses in high profile websites.

According to stats from the XSSed project, d3v1l's previous targets include Twitter, SAINT Corporation, Tweetmeme, VeriSign, Blippr, Symantec, ITworld, Arbor Networks and others.

In an email to Softpedia the researcher presented proof of concept exploits, which can be used to trigger arbitrary alerts, hijack session cookies or inject an IFrame into the page.

Even if reflected XSS bugs have a lower security impact, because each victim needs to be targeted individually, the risks associated with them should not be easily dismissed.

Such flaws can be leveraged to make phishing attacks more believable. Take for example the XSS weakness discovered by d3v1l on the barclays.co.uk website back in June.

An attacker could have leveraged it to create an obfuscated URL that would first take users to barclays.co.uk and then trigger a redirect to a phishing page.

Seeing that the URL included in the original email really points to a location on the barclays.co.uk website many users would have probably clicked on it.