McAfee Website Vulnerable to XSS and Other Attacks

Tuesday, March 29, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

Researchers at the YGN Ethical Hacker Group have revealed multiple security vulnerabilities found in the McAfee.com website that leaves the company's portal susceptible to attacks and data leakage.

The group found that the McAfee website contains flaws that also pose a threat to users, such as a cross-site scripting (XSS) vulnerability in the site where customers can download software.

XSS vulnerabilities allow attackers to bypass controls and inject script, meaning a hacker could potentially lead users to download malicious files when they believe they are accessing approved McAfee software.

The YGN Ethical Hacker Group also found eighteen instances of source code disclosure which gives attackers an advantage in preparing attacks, as they can search for flaws in how the application handles data in the user interface, as well as allow the attacker to set up a practice version of the application for experimentation.

The researchers reported the problems to McAfee on February 10, and received confirmation the the company was working on the issues on February 12.

As of March 27, the vulnerabilities were still present in the McAfee site, which prompted the YGN Group to release their findings to Full Disclosure mailing list.

This is sort of like seeing your mechanic's car broken down on the side of the road one day, and then driving by again two weeks later and noticing the car is still there - it does not give you a lot of  confidence in the mechanic.

While there are no shortage of companies that maintain websites with the same vulnerabilities, the revelations by the researchers about the flaws in the site proves to be embarrassing because one of McAfee's specialties is scanning websites for security problems with their McAfee "SECURE" service.

"The thing that really got me is that all of this is not about any vendor, it is about Mcafee, a vendor well known by its anti-virus software but also by its web security service McAfee Secure. This service provides customers with the label “Verified by McAfee Secure” so they can put in their website as a mark of safety. According to McAfee: 'The McAfee SECURE™ trustmark only appears when the website has passed our intensive, daily security scan. We test for possible personal information access, links to dangerous sites, phishing, and other online dangers.' In other words, the presence of this label means that the website is not vulnerable to the exact same vulnerabilities McAfee currently has," security researcher Pablo Ximenes blogged.

"Don’t get me wrong, I have no interest in damaging McAfee’s image, I even own a company that sells McAfee products, but this is a serious lack of diligence with costumers and resellers that must not go unnoticed." Ximenes noted.

Possibly Related Articles:
8954
Vulnerabilities
XSS Application Security Vulnerabilities McAfee Headlines Cross Site Scripting Source Code Website Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.