Monday, 20 August 2007

x2Fusion sent to me an interesting e-mail describing how is possible to XSS an iGoogle personalized homepage via the widgets. iGoogle is using frames to open Gmodules, which calls third party widgets. While this prevents cookie stealing, can still be used to launch phishing attacks against the iGoogle users, or directly via gmodules.com, by calling a malicious widget, which will be executed in the context of the gmodules domain.

Saturday, 4 August 2007

Adrienne Felt is a student of University of Virginia's School of Engineering, double majoring in computer science (B.S.) and mathematics. She is "currently examining the Facebook  Platform as a case study on the security of mashups", and recently discovered a serious XSS vulnerability affecting the popular social networking website.

Friday, 13 July 2007

Recently we were contacted by Rosario Valotta who shared his latest research paper and a proof of concept of what he defines to be a cross webmail worm (XWW). Rosario implemented the worm in order to demonstrate its significant negative impact that could have on unaware users of famous webmail providers which are vulnerable to XSS. He named the worm "Nduja connection".

Sunday, 8 July 2007

What is wrong with PayPal lately? I am a bit surprised that PayPal was until yesterday vulnerable to that XSS vuln which was submitted by 142TeeTH on the 22th of June... Until early today, no prompt action was taken whatsoever by PayPal. Discovering security vulnerabilities in the largest online payment processor was never too easy - even underestimated ones like XSS.

Wednesday, 4 July 2007

Just another XSS vuln affecting Digg. Zuppergazi - a very active author - discovered it and notified us. Although we could not reproduce the last XSS in Digg (the reason being that it was promptly fixed), this time we were able to mirror it, and want to believe that the author has already contacted their staff in order to let them know about the issue.

Saturday, 23 June 2007

This is not the first time that PayPal is vulnerable to cross-site scripting... 142TeeTH has discovered and submitted to us the two XSS vulnerabilities affecting PayPal.com. According to him, PayPal's technical staff are already aware of the issues.

1 2 3 4 5 6 7 8 9 10