A hacker called Freedom wants to show that many sites fail to protect their customers

Feb 24, 2012 17:19 GMT  ·  By

A hacker that goes by the online handle Freedom provided us with proof regarding cross-site scripting vulnerabilities that exist in popular websites such as the ones of Yves Saint Laurent (ysl.com), ABC (abc.go.com), and Sky Sports (skysports.com).

“The first been ABCGO and this was a very easy XSS issue, the security of the site belongs in the trash can if you ask me,” the hacker told us.

The vulnerability that affects Sky Sports was, according to the hacker, easy to find by anyone with basic HTML skills.

Operation Freedom, as that’s what the hacker calls his mission to find security holes on websites that claim they do everything to keep their users safe, also revealed a flaw in the official Yves Saint Laurent online store.

“Every day ppl onling buy products from online stores and these stores make millions on pounds/dollars every year and the user gets told it’s safe and secure shopping online, and here is a very good example of a store online of a very big brand that is well a security risk to people’s information and safety online,” he added.

Freedom identified a couple of vulnerabilities, that were also found by TeamHav0k a few days back, in official sites owned by sportswear manufacturers Puma and Adidas.

All the flaws were reported to the sites’ owners, but as in many cases, grey hat hackers are ignored when they contact administrators, either because the admins don’t know how to address the issues, or because they simply don’t care.

“All of these companies make millions every year and there security is not up to scratch. All of these XSS issues could be abused to use users to commit illegal activities, crimes, if abused in the right way. When I say they where easy, I found all 4 of them in 10 mins. For websites that sell stuff and users use there credit cards on, it’s an abomination,” Freedom concluded.

Update. The hacker received a response from Yves Saint Laurent representatives. According to the hacker, their reply is a “mockery”. Here's what they said:

Thank you for taking the time to contact Yves Saint Laurent.

Unfortunately, we are unable to facilitate your request. Please note YSL does not provide this type of service nor is there a department or store which can fulfill this inquiry.

We apologize that we are unable to provide you with additional information.

Photo Gallery (3 Images)

Yves Saint Laurent site vulnerable to XSS attacks
Sky Sports site vulnerable to XSS attacksABC site vulnerable to XSS attacks
Open gallery