Xiphos Research reports that six percent of the 500 most visited UK websites (ranked by Alexa.com) may be exposed to attack using a nearly decade old vulnerability.
This vulnerability allows for open domain traffic in crossdomain.xml, a publicly available file. It is probable that an attacker can acquire access to sensitive user credentials using a custom SWF file and phishing attacks.
Of the 500 assessed sites, 215 had a XML cross domain file present (43 percent). Data being passed amongst sub-domains was allowed by 177 (35.5 percent) of the 500 sites. Thirty seven (7.5 percent) of the 500 sites allowed data to be passed to any site on the internet—of these, 30 had what could be confirmed as sensitive content (six percent).
The potential vulnerability has been discovered in retailers, healthcare providers, financial services companies and a slew of other sectors. Affected parties have been informed and are in the process of addressing the flaw. Active exploitation of the vulnerability is a relatively simple process and now well documented according to Mike Kemp, co-founder of Xiphos Research.