XSS vulnerability found in McAfee HackerSafe sites

Share this article:
For the second time this year, a security researcher has found websites certified as McAfee HackerSafe that contain vulnerabilities.

Russ McRee, a security consultant for HolisticInfoSec.org, discovered a number of websites that carry the HackerSafe logo, but have been found to be vulnerable to cross-site scripting (XSS) errors. According to a blog post written by McRee, the vulnerabilities make it possible for hackers to access authentication credentials or send users to malicious websites.

“These sites all take credit card information and house consumer data,” McRee told SCMagazineUS.com on Wednesday. “Even though McAfee says it isn't a hack on the server, that's really false. It's easy to show ways to steal consumer data in the context of your server through the user's browsers through the function of this vulnerability.”

McRee said that this latest discovery comes several months after 60 e-commerce sites with the HackerSafe certification service logo were also found vulnerable.

McAfee said XSS are less severe than other vulnerabilities, and the presence of one on a website does not cause it to fail HackerSafe certification.

“McAfee rates vulnerabilities on a five point scale, Level 1 being less severe and Level 5 being more severe,” Francie Coulter, a McAfee spokeswoman, told SCMagazineUS.com on Wednesday. “XSS vulnerabilities are rated Level 2 within the McAfee system. McAfee's daily HackerSafe scan does an effective job identifying many different types of vulnerabilities, including XSS. When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities.”

Share this article:

Sign up to our newsletters

More in News

AOL Mail hack furthers spam campaign using spoofed accounts

AOL confirmed on Monday that it was aware of the issue and working to remediate the situation.

Backdoors in Wi-Fi routers, said to be closed, can be reopened

Backdoors in Wi-Fi routers, said to be closed, ...

Although said to be patched, researcher Eloi Vanderbeken discovered during the Easter holiday that backdoors existing in certain wireless routers can be reactivated.

Apple ships Mac OS X updates, fixes several code execution bugs

Apple ships Mac OS X updates, fixes several ...

Among the addressed vulnerabilities, was a bug affecting WindowServer, which could allow an attacker to execute malicious code outside the sandbox.