Thursday, 27 September 2007

Check out the new Google XSS vulnerability that beford discovered. Actually are exploits which allow attackers to steal information from Gmail accounts. These exploits have been successfully tested under all major browsers. Those of  you who use Firefox + NoScript plugin were fully protected against such kind of attacks.

Saturday, 22 September 2007

MustLive from websecurity.com.ua, has disclosed a cross-site scripting vulnerability in the very expensive Google Search Appliance solution for enterprises. Many high-profiled websites which use this product are currently vulnerable.

Monday, 20 August 2007

x2Fusion sent to me an interesting e-mail describing how is possible to XSS an iGoogle personalized homepage via the widgets. iGoogle is using frames to open Gmodules, which calls third party widgets. While this prevents cookie stealing, can still be used to launch phishing attacks against the iGoogle users, or directly via gmodules.com, by calling a malicious widget, which will be executed in the context of the gmodules domain.

Saturday, 4 August 2007

Adrienne Felt is a student of University of Virginia's School of Engineering, double majoring in computer science (B.S.) and mathematics. She is "currently examining the Facebook  Platform as a case study on the security of mashups", and recently discovered a serious XSS vulnerability affecting the popular social networking website.

Friday, 13 July 2007

Recently we were contacted by Rosario Valotta who shared his latest research paper and a proof of concept of what he defines to be a cross webmail worm (XWW). Rosario implemented the worm in order to demonstrate its significant negative impact that could have on unaware users of famous webmail providers which are vulnerable to XSS. He named the worm "Nduja connection".

Sunday, 8 July 2007

What is wrong with PayPal lately? I am a bit surprised that PayPal was until yesterday vulnerable to that XSS vuln which was submitted by 142TeeTH on the 22th of June... Until early today, no prompt action was taken whatsoever by PayPal. Discovering security vulnerabilities in the largest online payment processor was never too easy - even underestimated ones like XSS.

1 2 3 4 5 6 7 8 9 10 11 12 13