XSS vulnerability found in McAfee HackerSafe sites

Share this article:
For the second time this year, a security researcher has found websites certified as McAfee HackerSafe that contain vulnerabilities.

Russ McRee, a security consultant for HolisticInfoSec.org, discovered a number of websites that carry the HackerSafe logo, but have been found to be vulnerable to cross-site scripting (XSS) errors. According to a blog post written by McRee, the vulnerabilities make it possible for hackers to access authentication credentials or send users to malicious websites.

“These sites all take credit card information and house consumer data,” McRee told SCMagazineUS.com on Wednesday. “Even though McAfee says it isn't a hack on the server, that's really false. It's easy to show ways to steal consumer data in the context of your server through the user's browsers through the function of this vulnerability.”

McRee said that this latest discovery comes several months after 60 e-commerce sites with the HackerSafe certification service logo were also found vulnerable.

McAfee said XSS are less severe than other vulnerabilities, and the presence of one on a website does not cause it to fail HackerSafe certification.

“McAfee rates vulnerabilities on a five point scale, Level 1 being less severe and Level 5 being more severe,” Francie Coulter, a McAfee spokeswoman, told SCMagazineUS.com on Wednesday. “XSS vulnerabilities are rated Level 2 within the McAfee system. McAfee's daily HackerSafe scan does an effective job identifying many different types of vulnerabilities, including XSS. When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities.”

Share this article:

Sign up to our newsletters

More in News

Health care breaches continue to rise, over 30M affected

As breaches hitting the health care industry continue to ramp up, more than 30 million individuals have been affected by these incidents thus far.

'Backoff' malware compromises POS devices in New Orleans restaurant

Anyone that used a credit or debit card at Mizado Cocina between May 9 and July 18 may have had their data compromised.

FBI begins investigation into 1.2 billion stolen credentials

A couple weeks after Hold Security's initial discovery of the stolen logins, the Federal Bureau of Investigation is conducting its own review.