14 DAY TRIAL // Websites belonging to Symantec and Kaspersky Labs, two of the biggest global providers of security solutions, have been found to be vulnerable to cross-site scripting attacks. Ill-intent individuals could have exploited the flaws to steal authentication cookies or inject rogue IFrames and other potentially malicious code into the pages.
According to MITRE's CVE, cross-site scripting (XSS) weaknesses have been the most widespread vulnerabilities out on the Web for the past several years. They are the result of poor programming and the security researchers estimate that thousands of pages are compromised through XSS every single day.
The most common attacks exploiting such vulnerabilities involve IFrame injections. Such rogue HTML IFrames are constantly used by cybercrooks to load exploit kits or serve malware hosted on remote servers into legit pages. This increases the pool of potential victims, since users are clearly more likely to visit already popular websites than the ones set up by attackers.
The XSS flaws in Kasperky and Symantec's sites were discovered and documented by Team Elite, a self-confessed ethical hacking outfit, which previously disclosed similar vulnerabilities affecting other high-profile sites belonging to the likes of eBay and Intel, or AV vendors such as Avira and ESET.
Methodman, one of the outfit's members, has released screenshots of several proof-of-concept attacks against symantec.com and kaspersky.ru. In addition to IFrame injections, an attacker could have hijacked session cookies, files stored by websites on the users' computers to identify them as authenticated. These files can be used to access a user's account as long as their session remains active or until they are set to expire.
This is not the first time that both companies have security issues with their websites. For example, Team Elite has outed Kaspersky websites as vulnerable on several different occasions this year alone. After one of the past incidents, a Kaspersky spokesperson commented for Softpedia that, "Kaspersky Lab’s security experts rate XSS weaknesses as low risk because a large number of conditions have to be met before [they] can affect users."
That might as well be the case, but still, the fact that companies that are selling security solutions are facing security problems themselves, repeatedly, raises at least one question. What chances do the average companies stand when it comes to protecting their websites from attackers? Team Elite has announced that both companies have been notified of these bugs and we can confirm that they have been addressed by the time of writing this article.
