http://www.theregister.co.uk/2008/04/29/mcafee_hacker_safe_sites_vulnerable/
By Dan Goodin in San Francisco
The Register
29th April 2008
Comment More than three months after security bugs were documented in
more than 60 ecommerce sites certified by McAfee as "Hacker Safe," a
security researcher has unveiled a fresh batch of vulnerable websites.
Russ McRee, a security consultant for HolisticInfoSec.org [1],
documented cross-site scripting (XSS) errors in five sites that
prominently carry a logo declaring them to be Hacker Safe. As McRee
documented in a blog post [2] and accompanying video [3], the bugs make
it possible for attackers to steal authentication credentials and
redirect visitors to malicious websites.
All five of the sites subscribe to McAfee's HackerSafe certification
service [4], which audits the security of websites on a daily basis to
give visitors confidence they'll be safe when doing business there. Yet
McRee was able to find the bugs by using advanced Google searches to
pinpoint vulnerable web applications, and in at least one case, the XSS
vulnerability has been on the customer's site since January.
"There's a responsibility to the consumer that really seems to be
missing in that service," McRee told us. "The average consumer assumes
that because I see that label I must be safe."
The five vulnerable sites include Alsto.com [5], Delaware Express [6],
BlueFly [7], Improvements Catalog [8] and Delightful Deliveries [9]. We
asked all five for comment but only one of them, Delightful Deliveries,
responded. "As the #1 leading seller of Gift Baskets, security is a top
priority to us and our customers, we will work with HackerSafe and our
development team to resolve this issue," a representative said. He is
unaware of any breaches affecting the site, he added.
A McAfee spokeswoman said the company rates XSS vulnerabilities less
severe than SQL injections and other types of security bugs. "Currently,
the presence of an XSS vulnerability does not cause a web site to fail
HackerSafe certification," she said. "When McAfee identifies XSS, it
notifies its customers and educates them about XSS vulnerabilities."
These are only the latest Hacker Safe sites to be outed. In January,
researchers from XSSed.com [10], documented 62 websites subscribing to
the service that were vulnerable to XSS vulnerabilities. A Hacker Safe
spokesman told InformationWeek [11] at the time the bugs couldn't be
used to hack a server.
The vulnerabilities also raise the question of so-called payment card
industry (PCI) requirements for businesses that process credit card
payments. Websites that contain XSS vulnerabilities almost certainly
don't comply, McRee says, and yet most of the sites continue to accept
credit cards. But we'll leave deficiencies in that set of requirements
for another day.
McAfee has had three months to fix the deficiencies of this program, but
so far we see no evidence it's done so. We're all for services that help
websites stay on top of rapidly moving security threats. But there's a
term for programs that declare their customers Hacker Safe while failing
to catch easily spotted XSS flaws. It's called a rubber stamping, and
it's time it stopped.
[1] http://holisticinfosec.org/
[2] http://holisticinfosec.blogspot.com/2008/04/still-not-hacker-safe-roll-video.html
[3] http://holisticinfosec.org/video/HS_ISSA/ISSA_Regional_HackerSafe.html
[4] http://www.scanalert.com/site/en/about/overview/
[5] http://www.alsto.com/
[6] http://delexpress.hudsonltd.net/
[7] http://bluefly.com/
[8] http://www.improvementscatalog.com/
[9] http://www.delightfuldeliveries.com/
[10] http://www.xssed.com/
[11] http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=205900444
_______________________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss
Comments