McAfee “Hacker Safe” Certified Websites Found To Be Vulnerable
Russ McRee, a security consultant for HolisticInfoSec, documented cross-site scripting (XSS) errors in 5 sites that prominently carry a valid logo declaring them to be Hacker Safe. As McRee documented in a blog post and accompanying video, the bugs make it possible for attackers to steal authentication credentials and redirect visitors to malicious websites. It happens more than three months after security bugs were documented in more than 60 e-commerce sites certified by McAfee as “Hacker Safe”.
All five of the sites subscribe to McAfee’s HackerSafe certification service, which audits the security of websites on a daily basis to give visitors confidence they’ll be safe when doing business there. Yet McRee was able to find the bugs by using advanced Google searches to pinpoint vulnerable web applications, and in at least one case, the XSS vulnerability has been on the customer’s site since January.
The five vulnerable sites include Alsto.com, Delexpress.hudsonltd.net, BlueFly.com, ImprovementsCatalog.com and DelightfulDeliveries.com. These are only the latest Hacker Safe sites to be outed. In January, researchers from XSSed.com, documented 62 websites subscribing to the service that were vulnerable to XSS vulnerabilities. A Hacker Safe spokesman said at the time the bugs couldn’t be used to hack a server.
The vulnerabilities also raise the question of so-called payment card industry (PCI) requirements for businesses that process credit card payments. Websites that contain XSS vulnerabilities almost certainly don’t comply and yet most of the sites continue to accept credit cards.
McAfee has had three months to fix the deficiencies of this program, but so far we see no evidence it’s done so. No comments regarding recent Russ McRee discovery were made by McAfee representatives.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.