Microsoft LIVE vulnerable to XSS Meta Manipulation Attack
The search.live.com search engine
index appears to be vulnerable to a form of XSS Meta Manipulation and
fraudulent content cross-domain injection attacks.
Links to XSS injected domains are being indexed and followed by the
Live spiders, as can be seen in the following example when searching
for “XSS Hacking” information:
http://search.live.com/results.aspx?q=hacking+xss&go=Search
Any user following the link from live.com to the Ethical Hacking expert knowledge site ethicalhacker.net will currently see this output:
It is unknown at this time if dynamic search engine rankings or
other abstract Web 2.0 technologies that rely on indexed search engine
results are affected by this vulnerability. It is very possible that
the search.live.com spider could be tricked into following and indexing
vulnerabilities far more serious than common cross-site javascript
alert() injections, but XSSWorm has not yet tested this exploit vector
on Live.
Thanks to XSSWorm readers, Ethicalhacker.net has now been informed
of the serious XSS injection bug in their installation of Wordpress. It
is obvious from the image above that the vulnerability is being
exploited in the wild by Blackhat SEO optimizers, malicious crackers
and possibly for cross-net spear pharming and targeted phly-phishing
attacks. Microsoft has not yet responded to this bug advisory as the
vulnerability still appears to be exploitable at time of writing. We
will post updates here at xssworm.com as new spider injection holes are discovered.
Post a Comment