Verisign, McAfee and Symantec sites can be used for phishing due to XSS

Phished by Michael Jackson!! :-PLast Update: 18/06/08
Should they all be trusted at first sight by unsuspecting online users? Yes, unfortunately this is the case with the websites of renowned and respected IT security companies. However, now that are all vulnerable to cross-site scripting, the possibilities to get phished and infected with malware and crimeware are dramatically increased.

Verisign.com XSS vulnerabilities (6 unfixed/18-06-08):
registrar.verisign-grs.com XSS submitted by C1c4Tr1Z
blogs.verisign.com XSS submitted by Zeitjak
knowledge.verisign.com XSS submitted by Zeitjak
foreseeresults.verisign.com XSS submitted by Zeitjak
servicecenter.verisign.com Redirect submitted by Zeitjak
ispcenter.verisign.com XSS submitted by Zeitjak

Fixed:
digitalid.verisign.com XSS submitted by Zeitjak
www-apps.verisign.com XSS submitted by TreX / unfixed since 16/01/2008!
search.verisign.com XSS submitted by bill
search.verisign.com XSS submitted by bill
www.verisign.com XSS submitted by i-landet / unfixed since 16/02/2007!!!
search.verisign.com.au XSS submitted by Harry Sintonen



Many high profile sites are "Verisign Secured" (allow me to have my doubts here) and Verisign's own one unsecured? Just wonder how easy it would be for the bad guys to phish your clients, or their customer base - I don't think that they are all aware of the risks imposed by XSS vulnerabilities.

Realize now the risk impact and not until you are forced to do so...

McAfee.com XSS vulnerabilities:
mastdb3.mcafee.com XSS submitted by Zeitjak (pending fix)
knowledge.mcafee.com XSS submitted by C1c4Tr1Z
knowledge.mcafee.com XSS submitted by holisticinfosec
us.mcafee.com XSS submitted by TreX
mcafee.com XSS submitted by kusomiso.com
mcafee.com XSS submitted by www.r3t.n3t.nl
www.mcafee.com XSS submitted by kusomiso.com
knowledge.mcafee.com XSS submitted by i-landet
mcafee.com XSS submitted by mityo on 13/06/08 / published on 15/06/08 (fixed-18/06/08)

8 out of 9 XSS vulns are fixed.

It is a shame that McAfee continuously lies to the users of their "Hacker Safe" clients...
Building user trust just with evil marketing is not the correct way forward! You do knowingly deceive online users with fake promises concerning their privacy and security. How is this for a business plan? :-/ Deliberate deception techniques like yours are only used for the sake of profiting from increased sales.
We are still receiving on a frequent basis many XSS vulnerable "Hacker unSafe" web sites.
It is an embarassing fact that your site is also vulnerable!

- "More bad news for McAfee, HackerSafe certification", Nathan McFeters, ZDNet Zero Day blog - 1 May 08
- "McAfee 'Hacker Safe' cert sheds more cred", Dan Goodin, TheRegister - 29 Apr 08
- "McAfee isn't 'McAfee Secure' or 'Hacker Safe'...", Nathan McFeters, ZDNet Zero Day blog - 13 May 08

Quoting from Russ McRee's blog post titled "McAfee is not McAfee Secure":

>A challenge was put forth on Zero Day, and it has been answered.
>Apparently, McAfee doesn't care about XSS on their own sites either.

>I'll let the video speak for itself.

>For the love of all thing good and proper, McAfee, please address this issue...for yourselves and the consumers who look to you to do >the right thing.

>Sincerely,
>Russ McRee

Symantec.com XSS vulnerabilities:
nct.symantecstore.com XSS submitted by C1c4Tr1Z
www-secure.symantec.com XSS submitted by Zeitjak
partnerlocator.symantec.com XSS submitted by S_e_YM_e_N
investor.symantec.com XSS submitted by mox
www4.symantec.com XSS submitted by TreX
www4.symantec.com XSS submitted byTreX
symaccount.symantec.com XSS submitted by www.r3t.n3t.nl
service1.symantec.com XSS submitted by www.r3t.n3t.nl
service4.symantec.com XSS submitted by www.r3t.n3t.nl
photocontest.symantec.com XSS submitted by www.r3t.n3t.nl
service1.symantec.com XSS submitted by www.r3t.n3t.nl
searchg.symantec.com XSS submitted by security0x00
www-secure.symantec.com XSS submitted by www.r3t.n3t.nl
securityresponse.symantec.com XSS submitted by www.r3t.n3t.nl
www.symantec.com XSS submitted by Saime
securityresponse.symantec.com XSS submitted by cachaca
partnerlocator.symantec.com XSS submitted byTotalSchaden
www4.symantec.com XSS submitted by TotalSchaden

10 out of 18 XSS vulns are fixed.

Quoting from this news article:
"Symantec.com is never going to get a status clientHold. Malicious phishers can still use the Symantec's XSS vulnerabilities to spread malware and steal personal sensitive information. Why did they choose to validate a mirror of a corrected PayPal XSS as a phishing site and give us the status clientHold? They should have the clientHold status for leaving an open door to the exploitation of their faithful customer's security and privacy."

I want to believe that all the above issues get fixed within the next few days.

Related News (Updated):
"Major Security Vendors' Sites Could Be Launchpads for Phishing Attacks", Tim Wilson, Dark Reading, 10 Jun 08
"Top security companies not immune to XSS problems", Steve Ragan, The Tech Herald, 11 Jun 08
"Verisign and anti-virus vendors fix cross-site scripting holes", Mike Barwise, heise Security UK, 13 Jun 08
"Scripting bugs blight security giants' websites", John Leyden, The Register, 13 Jun 08
"Major security sites hit by XSS bugs", Matthew Broersma, Techworld, 12 Jun 08

[Source: xssed]

0 comments