XSS vulnerability found in McAfee HackerSafe sites

Share this article:
For the second time this year, a security researcher has found websites certified as McAfee HackerSafe that contain vulnerabilities.

Russ McRee, a security consultant for HolisticInfoSec.org, discovered a number of websites that carry the HackerSafe logo, but have been found to be vulnerable to cross-site scripting (XSS) errors. According to a blog post written by McRee, the vulnerabilities make it possible for hackers to access authentication credentials or send users to malicious websites.

“These sites all take credit card information and house consumer data,” McRee told SCMagazineUS.com on Wednesday. “Even though McAfee says it isn't a hack on the server, that's really false. It's easy to show ways to steal consumer data in the context of your server through the user's browsers through the function of this vulnerability.”

McRee said that this latest discovery comes several months after 60 e-commerce sites with the HackerSafe certification service logo were also found vulnerable.

McAfee said XSS are less severe than other vulnerabilities, and the presence of one on a website does not cause it to fail HackerSafe certification.

“McAfee rates vulnerabilities on a five point scale, Level 1 being less severe and Level 5 being more severe,” Francie Coulter, a McAfee spokeswoman, told SCMagazineUS.com on Wednesday. “XSS vulnerabilities are rated Level 2 within the McAfee system. McAfee's daily HackerSafe scan does an effective job identifying many different types of vulnerabilities, including XSS. When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities.”

Share this article:

Sign up to our newsletters

More in News

Accuvant taps Coca Cola CISO Guttmann as VP

Former Coca Cola CISO Renee Guttmann has joined Accuvant's Office of the CISO.

ICO fines U.K. travel firm £150,000 for 2012 breach

Data on more than one million credit and debit cards was pilfered in the 2012 breach of a system Think W3 Limited.

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.