XSS vulnerability found in McAfee HackerSafe sites

Share this article:
For the second time this year, a security researcher has found websites certified as McAfee HackerSafe that contain vulnerabilities.

Russ McRee, a security consultant for HolisticInfoSec.org, discovered a number of websites that carry the HackerSafe logo, but have been found to be vulnerable to cross-site scripting (XSS) errors. According to a blog post written by McRee, the vulnerabilities make it possible for hackers to access authentication credentials or send users to malicious websites.

“These sites all take credit card information and house consumer data,” McRee told SCMagazineUS.com on Wednesday. “Even though McAfee says it isn't a hack on the server, that's really false. It's easy to show ways to steal consumer data in the context of your server through the user's browsers through the function of this vulnerability.”

McRee said that this latest discovery comes several months after 60 e-commerce sites with the HackerSafe certification service logo were also found vulnerable.

McAfee said XSS are less severe than other vulnerabilities, and the presence of one on a website does not cause it to fail HackerSafe certification.

“McAfee rates vulnerabilities on a five point scale, Level 1 being less severe and Level 5 being more severe,” Francie Coulter, a McAfee spokeswoman, told SCMagazineUS.com on Wednesday. “XSS vulnerabilities are rated Level 2 within the McAfee system. McAfee's daily HackerSafe scan does an effective job identifying many different types of vulnerabilities, including XSS. When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities.”

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.