Verisign, McAfee and Symantec sites can be used for phishing due to XSS

Sunday, 8 June 2008

Last Update: 11/07/08
Should they all be trusted at first sight by unsuspecting online users? Yes, unfortunately this is the case with the websites of renowned and respected IT security companies. However, now that are all vulnerable to cross-site scripting, the possibilities to get phished and infected with malware and crimeware are dramatically increased.

Verisign.com XSS vulnerabilities (6 unfixed/18-06-08):
registrar.verisign-grs.com XSS submitted by C1c4Tr1Z
blogs.verisign.com XSS submitted by Zeitjak
knowledge.verisign.com XSS submitted by Zeitjak
foreseeresults.verisign.com XSS submitted by Zeitjak
servicecenter.verisign.com Redirect submitted by Zeitjak
ispcenter.verisign.com XSS submitted by Zeitjak

Fixed:
digitalid.verisign.com XSS submitted by Zeitjak
www-apps.verisign.com XSS submitted by TreX / now fixed
search.verisign.com XSS submitted by bill
search.verisign.com XSS submitted by bill
www.verisign.com XSS submitted by i-landet / now fixed
search.verisign.com.au XSS submitted by Harry Sintonen



Many high profile sites are "Verisign Secured" (allow me to have my doubts here) and Verisign's own one unsecured? Just wonder how easy it would be for the bad guys to phish your clients, or their customer base - I don't think that they are all aware of  the risks imposed by XSS vulnerabilities.

Realize now the risk impact and not until you are forced to do so...

McAfee.com XSS vulnerabilities:
mastdb3.mcafee.com XSS submitted by Zeitjak (now fixed)
knowledge.mcafee.com XSS submitted by C1c4Tr1Z
knowledge.mcafee.com XSS submitted by holisticinfosec
us.mcafee.com XSS submitted by TreX
mcafee.com XSS submitted by kusomiso.com
mcafee.com XSS submitted by www.r3t.n3t.nl
www.mcafee.com XSS submitted by kusomiso.com
knowledge.mcafee.com XSS submitted by i-landet
mcafee.com XSS submitted by mityo on 13/06/08 / published on 15/06/08 (fixed-18/06/08)

All vulns are fixed (last update 11/07/2008).

It is a shame that McAfee continuously lies to the users of their "Hacker Safe" clients...
Building user trust just with evil marketing is not the correct way forward! You do knowingly deceive online users with fake promises concerning their privacy and security. How is this for a business plan? :-/ Deliberate deception techniques like yours are only used for the sake of profiting from increased sales.
We are still receiving on a frequent basis many XSS vulnerable "Hacker unSafe" web sites.
It is an embarassing fact that your site is also vulnerable!

- "More bad news for McAfee, HackerSafe certification", Nathan McFeters, ZDNet Zero Day blog - 1 May 08
- "McAfee 'Hacker Safe' cert sheds more cred", Dan Goodin, TheRegister - 29 Apr 08
- "McAfee isn't 'McAfee Secure' or 'Hacker Safe'...", Nathan McFeters, ZDNet Zero Day blog - 13 May 08

Quoting from Russ McRee's blog post titled "McAfee is not McAfee Secure":