CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 29th, 2008

McAfee “Hacker Safe” Certified Websites Found To Be Vulnerable

Russ McRee, a security consultant for HolisticInfoSec, documented cross-site scripting (XSS) errors in 5 sites that prominently carry a valid logo declaring them to be Hacker Safe. As McRee documented in a blog post and accompanying video, the bugs make it possible for attackers to steal authentication credentials and redirect visitors to malicious websites. It happens more than three months after security bugs were documented in more than 60 e-commerce sites certified by McAfee as “Hacker Safe”.

All five of the sites subscribe to McAfee’s HackerSafe certification service, which audits the security of websites on a daily basis to give visitors confidence they’ll be safe when doing business there. Yet McRee was able to find the bugs by using advanced Google searches to pinpoint vulnerable web applications, and in at least one case, the XSS vulnerability has been on the customer’s site since January.

The five vulnerable sites include Alsto.com, Delexpress.hudsonltd.net, BlueFly.com, ImprovementsCatalog.com and DelightfulDeliveries.com. These are only the latest Hacker Safe sites to be outed. In January, researchers from XSSed.com, documented 62 websites subscribing to the service that were vulnerable to XSS vulnerabilities. A Hacker Safe spokesman said at the time the bugs couldn’t be used to hack a server.

The vulnerabilities also raise the question of so-called payment card industry (PCI) requirements for businesses that process credit card payments. Websites that contain XSS vulnerabilities almost certainly don’t comply and yet most of the sites continue to accept credit cards.

McAfee has had three months to fix the deficiencies of this program, but so far we see no evidence it’s done so. No comments regarding recent Russ McRee discovery were made by McAfee representatives.

Share this item with others:

More on CyberInsecure:
  • Cameroon Leapfrogs Hong Kong In Malware, One In Three .CM Domains Booby-trapped
  • iPhone Feature Discovered By Hacker Allows Apple To Remotely Disable Unwanted Apps
  • McAfee Service Pack VSE 8.7 Leaves PCs Unbootable
  • AVG Free Security Scanner Goes Multi-Lingual
  • Cross-site Scripting Vulnerability Found In MI5 Website By A Hacker

    • Posted in Vulnerabilities | Print This Post Print This Post

    This entry was posted on Tuesday, April 29th, 2008 at 5:16 pm and is filed under Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: McAfee “Hacker Safe” Certified Websites Found To Be Vulnerable

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »