Hackers Prove EA, IGN, ImageShack, NY Times, Verizon Vulnerable

[Jack]

A relatively new hacking collective, TeamHav0k, launched an operation called “#OP XSS” in which they try to find cross-site scripting (XSS) vulnerabilities in major websites. The first results of the operation came in and it turns out that a lot of important sites contain the flaw the hackers were looking for.

A Pastebin document reveals that websites such as the ones belonging to Verizon, Huffington Post, European Organization for Nuclear Research (CERN) , Electronic Arts (EA), IGN and New York Times contain some design flaws.

Some education institutions were also found to contain XSS security holes, including University of Illinois, Harvard, Yale and Rockefeller University.

Telecoms company Verizon, media hosting company ImageShack, value calcuhttp://news.softpedia.com/news/Hack...hack-NY-Times-Verizon-Vulnerable-247952.shtmllator and traffic estimator tool StatShow, Major League Gaming, and Dr Pepper complete the list.


Even though XSS vulnerabilities are among the most common ones found in commercial websites, this doesn’t mean they’re not dangerous. Cybercriminals can rely on these weaknesses to execute their own malicious codes and cause damage to the virtual assets of unsuspecting Internet users.

Fortunately, some web browsers protect their customers against these attacks. For instance, Internet Explorer 9 displays a warning message to reveal that the page is modified to prevent cross-site scripting.

Google Chrome also mitigates the attack, but Opera and Mozilla Firefox fail to do so, leaving their users exposed.

Read more ....

 

[Jack]

Well the good news here is that the modern web browsers should be able to stop a XSS attack....nevertheless this vulnerabilities need to be fixed.
Have to wonder why the hackers reported the vulnerability instead of actually exploiting them.... ?

 

[Prorootect]

Jack, because these hackers are 'Ethical hackers'.

Look here:
XSS Vulnerability found in MSN and Myspace by Ethical Hackers Vansh &Vaibhuv: by Ehackingnews.com: http://www.ehackingnews.com/2012/01/xss-vulnerability-found-in-msn-and.html

Quote:
'Ethical Hacker Vansh Sharma and his brother Vaibhuv Sharma discovered a Reflected XSS vulnerability in MSN and MySpace sites. Recently, he discovered XSS Vulnerability in ehackingnews and google apps sites.'

Then look here:
XSS Vulnerability found in google Apps by Vansh sharma: http://www.ehackingnews.com/2012/01/xss-vulnerability-found-in-google-apps.html

Quote:
'Ethical Hacker "Vansh sharma" and his brother(Vaibhuv sharma) found a reflected XSS vulnerability in Google apps site.'

'They have informed to google about the vulnerability.' - because they are 'Ethical', OK.?
.

 

[HeffeD]

Google Chrome also mitigates the attack, but Opera and Mozilla Firefox fail to do so, leaving their users exposed.

Firefox users can use the AdBlock Plus, NoScript, or RequestPolicy extensions to protect themselves from XSS attacks.

 

[jamescv7]

For Mozilla Firefox it does not have strong security features built in so with the power of famous addons surely they were protected in attacks. Even in Opera since some addons that could function to mitigate attacks for XSS.