 F-Secure.com vulnerable to cross-site scripting
Written by DPThursday, 17 June 2010 *UPDATE 18/06/10*
#1 - Issue quickly corrected as expected, F-Secure's chief security researcher Mikko responded.
#2 - Xylitol tweeted: "Already on the past stats.f-secure.com, http://bit.ly/cAWIAM "Keep up the good work". So stop to say: "It's because he hates this company" and "F-secure is the best security suite, if i've searched a XSS... That is just to say this." (supported by a later tweet: "About my XSS work, all vulnerabilities found will be never a personal story, advisory only.")
The Helsinki-based security vendor F-Secure is vulnerable to cross-site scripting (XSS) according to security researcher "Xylitol". Combining phishing techniques when exploiting XSS vulnerabilities, evidently could lead to serious breaches. The F-Secure people surely have the essential awareness and strong security defenses to protect against this scenario.
F-Secure.com XSS Mirror
On February 2009, a Romanian cracker - or as the media would say, a "hacker" - from hackersblog.org, gained access to a non-critical F-Secure server hosting statistical data for marketing purposes and published the details.
F-Secure has been XSSed, hacked and defaced in the past:
Source: Zone-H.org Digital Attacks/Web Defacement Archive
We are sure that F-Secure will remediate this security issue in dt time.
Screenshot:
Related News:
Forbes.com - Security Firm F-Secure Has Flaw in Web Site - 17 Jun 2010 - Daniel Kennedy
Praetorian Prefect - F-Secure XSS on Anti-Theft Website - 17 Jun 2010
| 
