14 DAY TRIAL // A number of 60 high-profile websites were found to contain cross-site scripting (XSS) vulnerabilities that can potentially expose the sites’ visitors to malicious operations launched by cybercriminals with a clearly defined agenda.
The list of vulnerable sites provided by Zer0Freak, a hacker part of Team Intra, includes the official sites of Electronic Arts, Avon, WWF Panda Global, LG, Lyrics Fly, University of Virginia, Pizza Hut, Hungry Jack’s, Jaycar, Adidas, Your Gamer Cards, Shockwave, Toshiba, Puma, Ferrari, Toyota, Guitar, Web Hosting Search, McDonald’s, Fender, PCWorld, Los Angeles Times, and Dell.
The list continues with Catholic Online, Nero, Bruxelles, Beemp3, Weather, Dictionary, Harvard University, VMWare, Autodesk, Radio Times, Music, NASA, Comcast, Sky Sports, NFL, Gamespot, Burger King, Dubstep, Fedex, NY Observer, Philips, Electa, Nike, Manchester United soccer team, ABC, Food, Nissan, Colegate, Symantec’s Norton, and Genius.
Part of these sites were already appointed in the past weeks as being highly vulnerable by other grey hat hacker teams and Zer0Freak said that a few of them were fixed in the meantime, but judging by the screenshots he sent us, some administrators still haven’t addressed the security holes.
While it’s not a surprise that Symantec quickly patched up the Norton site, the curious fact is that the website contained such a common security hole in the first place.
The hacker told us that it took him around 30 minutes to find the vulnerabilities that are present in most commercial sites. However, he warns, as many grey hats before him, that “XSS is a very harmful method of hacking websites, in fact it’s the 2nd most malicious act against hacking websites.”
The disclosure of these vulnerabilities is part of an operation called Operation Zer0XSS which was launched for educational purposes and to show the dangers posed by the existence of XSS flaws.
