Update 15/11/2007: Mirrors now work! ;-)
You have probably noticed that the mirrors of all
archived XSS vulnerable websites do not show up. This is due to some people who submitted and validated the domain to online anti-phishing services. Validation comes from researching something and managing to possess proofs that is accurate and adequate. It will be very boring for us if every time a new anti-phishing service comes up, marks our site as phishing and blocks our domain.
To be more specific, we have received abuse reports from
PayPal,
EBay and the
French CERT, warning us that
XSSed.net is hosting a PayPal phishing page.
My skeptical thought wonders why high-profiled web companies may have submitted
XSSed.net on purpose to anti-phishing services in order to deny the undeniable fact that their online properties are vulnerable to cross-site scripting.
Funny thing that we are blacklisted on Symantec's
phishreport.net because someone submitted a PayPal XSS mirror as a phishing site. Symantec is still vulnerable to few XSS flaws, mirrors can be viewed here:
These vulns can be used for phishing as well. The only difference is that
Symantec.com is never going to get a status clientHold. Malicious phishers can still use the Symantec's XSS vulnerabilities to spread malware and steal personal sensitive information. Why did they choose to validate a mirror of a corrected PayPal XSS as a phishing site and give us the status clientHold? They should have the clientHold status for leaving an open door to the exploitation of their faithful customer's security and privacy.
The first time this
incident occurred, Netcraft's response was very quick and they even helped us resolve the issue - like this time. We have not yet received any answer from Symantec's
phishreport.net.