McAfee are one of the best known names in Internet security, yet according to a post today on ReadWriteWeb, their website is “enabling malware distribution.” Lidija Davis‘ post tells us:
During tests this weekend, we discovered the company who claims to “keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams,” has several cross-site scripting (XSS) vulnerabilities and provides the bad guys with a brilliant – albeit ironic – launching pad from which to unleash their attacks.
McAfee security problems
It was an XSS valnerability, which led to Twitter’s recent mickeey worm. Although that particular worm was fairly harmless, a hacker could quite easily exploit the XSS vulnerabilities on McAfee’s sites, to (for example) redirect people to just about anywhere on the web.
At the time of writing this, I have not seen any response from McAfee. Watch this space!
No related posts.
A LOT of websites have that tiny “secure lock” that sais, you’re safe from hackers. or has https enabled and it means that your ass is impenetrable. they and McAfee are very wrong!
XSS is the most popular security hole.
XSS means account stealing, (if permanent) could mean web worm lke the one on twitter or samy worm on myspace.
This XSS hole is bad, but I published a much more critical McAfee hole today- in the very application that clients use to test their own websites.
http://skeptikal.org/2009/05/epic-failure-from-mcafee.html
I’m amazed how little coverage this story got yesterday. Seems it was only picked up by the tech media- so the average user won’t even know.
Props to ReadWriteWeb for bringing this to my attention!!