Microsoft LIVE vulnerable to XSS Meta Manipulation Attack

The search engine
index appears to be vulnerable to a form of XSS Meta Manipulation and
fraudulent content cross-domain injection attacks.

Links to XSS injected domains are being indexed and followed by the
Live spiders, as can be seen in the following example when searching
for “XSS Hacking” information:

Example Cross-domain content insertion

Any user following the link from to the Ethical Hacking expert knowledge site will currently see this output:

example cross-content domain inject

It is unknown at this time if dynamic search engine rankings or
other abstract Web 2.0 technologies that rely on indexed search engine
results are affected by this vulnerability. It is very possible that
the spider could be tricked into following and indexing
vulnerabilities far more serious than common cross-site javascript
alert() injections, but XSSWorm has not yet tested this exploit vector
on Live.

Thanks to XSSWorm readers, has now been informed
of the serious XSS injection bug in their installation of Wordpress. It
is obvious from the image above that the vulnerability is being
exploited in the wild by Blackhat SEO optimizers, malicious crackers
and possibly for cross-net spear pharming and targeted phly-phishing
attacks. Microsoft has not yet responded to this bug advisory as the
vulnerability still appears to be exploitable at time of writing. We
will post updates here at as new spider injection holes are discovered.

Read this full article at