Saturday, 27 October 2007

A new critical PayPal XSS was submitted to our archive by Fugitif. It can be exploited by malicious people to conduct phishing attacks. This cross-site scripting issue might be leveraged by an attacker to steal cookie based authentication credentials.

Thursday, 27 September 2007

Check out the new Google XSS vulnerability that beford discovered. Actually are exploits which allow attackers to steal information from Gmail accounts. These exploits have been successfully tested under all major browsers. Those of  you who use Firefox + NoScript plugin were fully protected against such kind of attacks.

Saturday, 22 September 2007

MustLive from websecurity.com.ua, has disclosed a cross-site scripting vulnerability in the very expensive Google Search Appliance solution for enterprises. Many high-profiled websites which use this product are currently vulnerable.

Monday, 20 August 2007

x2Fusion sent to me an interesting e-mail describing how is possible to XSS an iGoogle personalized homepage via the widgets. iGoogle is using frames to open Gmodules, which calls third party widgets. While this prevents cookie stealing, can still be used to launch phishing attacks against the iGoogle users, or directly via gmodules.com, by calling a malicious widget, which will be executed in the context of the gmodules domain.

Saturday, 4 August 2007

Adrienne Felt is a student of University of Virginia's School of Engineering, double majoring in computer science (B.S.) and mathematics. She is "currently examining the Facebook  Platform as a case study on the security of mashups", and recently discovered a serious XSS vulnerability affecting the popular social networking website.

Friday, 13 July 2007

Recently we were contacted by Rosario Valotta who shared his latest research paper and a proof of concept of what he defines to be a cross webmail worm (XWW). Rosario implemented the worm in order to demonstrate its significant negative impact that could have on unaware users of famous webmail providers which are vulnerable to XSS. He named the worm "Nduja connection".

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18