XSS

(get it in RSS or Atom)

59 vulns in IE, teenager versus Turing, and Twitter gets wormed - 60 Sec Security [VIDEO]

60ss-video-250

Is 59 vulns in IE some kind of record? Did a computer really pass the Turing Test? Can a network worm ever be a joke?

Find out in one minute!

Twitter jumps to block XSS worm in Tweetdeck

TweetDeckLogo-250

A cross-site scripting flaw was disclosed this morning affecting the popular Twitter application Tweetdeck. It has now been fixed, but not before it wormed its way through thousands of browsers.

Yahoo pays first bug bounty - $12.50 in Company Store credit

Yahoo pays first bug bounty - $12.50 in Company Store credit

$12.50 per vulnerability, only to be spent in the Yahoo Company Store, mind you, is what security researchers got for finding four XSS vulnerabilities. The security outfit, High-Tech Bridge, is understandably a bit miffed.

PayPal refuses to pay bug-finding teen

PayPal refuses to pay bug-finding teen

A 17-year-old German student says he found a bug on PayPal's site but the company won't fork over the reward money. PayPal said someone had already found the bug but they also cited an age guideline that isn't actually included in its bug bounty program guidelines.

Anatomy of an exploit - Linksys router remote password change hole

li-placard-250

A security researcher from California has published a how-to guide detailing a number of exploits against various Linksys routers.

Paul Ducklin looks at the ominous sounding "EA2700 Password Change Insufficient Authentication and CSRF Vulnerability"...

Apple password reset website - gaping hole found, fixed

apple-env-250

Apple has had a good-bad-good-bad week of it in the computer security environment.

Its announcement of two-step verification for some users was quickly followed by a report of a password recovery exploit for everyone else...

"Omg this is so cool!" Pinterest hack feeds spam to Twitter and Facebook

Pintrest logo

Another rash of account takeovers on the photo-sharing site Pinterest has spilled over onto Twitter and Facebook, as spammers take advantage of linked accounts.

Apple offers iOS 5.1.1 update, fixes some serious vulnerabilities

Apple offers iOS 5.1.1 update, fixes some serious vulnerabilities

Apple's latest update to iOS just came out.

Version 5.1.1 is more than just a cosmetic fix: it patches at least three security flaws, all of which should be considered serious.

25 'VeriSign Trusted' shops found to have XSS holes

25 'VeriSign Trusted' shops found to have XSS holes

A grey hat hacker has discovered cross-site scripting (XSS) holes in 25 UK online stores that are certified as safe by the likes of VeriSign, Visa, and MasterCard.

XSS flaw in WordPress 3.3 - How the smallest things make testing tough

wordpress-thumb

Researchers discovered a cross-site scripting flaw in WordPress 3.3 yesterday that only occurs if you ran the installation with an IP address instead of a domain name. WordPress 3.3.1 is now available to fix the vulnerability.

Facebook explains pornographic shock spam, hints at browser vulnerability

FacebookSecurity250

Facebook has released a statement about the fast spreading offensive messages that have been posted to many users walls. They claim there is a browser vulnerability that allowed users to paste malicious JavaScript into their web browsers and post the offensive messages.

Weibo, China's Twitter-like service, hit by worm

weibo-thumb

A worm which broke out on Weibo, exploited a cross-site scripting flaw and sent around messages claiming to link to naked photos of Fan Bingbing, romantic poetry and mobile phone spyware.

Sony Portugal latest to fall to hackers

SonyMusicPortugal175

Sony Music Portugal is the latest Sony asset to be targeted by hackers. Is there light at the end of the tunnel? Are there other Sony websites that are still flawed?

Facebook scam with a difference - Social Tagging Worldwide avoids rogue apps

Facebook scam with a difference - Social Tagging Worldwide avoids rogue apps

Sick of reading about rogue apps on Facebook? Here's a Facebook scam with a difference.

A "profile viewer" scam under the name Social Tagging Worldwide tricks you via the clipboard, not via the usual rogue app.

September roundup - "90 Second News"

thumb-sep

Don't just read the latest computer security news - watch it in 90 seconds! This month: when internet access chose the government; Adobe battles another zero-day; Twitter suffers XSS woes; and the Stuxnet malware keeps on making the wrong headlines. Read more…

The names and faces behind the 'onMouseOver' Twitter worm attack

The names and faces behind the 'onMouseOver' Twitter worm attack

It's been over 24 hours now since many Twitter users around the world found that their pages had become infested by messages spreading virally across the network. The victims High profile victims of the "onMouseOver" worm included ex-Prime Minister's wife Read more…

Twitter 'onMouseOver' security flaw widely exploited

Twitter 'onMouseOver' security flaw widely exploited

The Twitter website is being widely exploited by users who have stumbled across a flaw which allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a link. In a worrying development, Read more…

The beginning of the end of popup porn, Facebook worms and cross-site phishing?

Image (1) cookies.jpg for post 1296

Visit just about any page on any website - including most of sophos.com - and your browser will suck in content from other sites, too. This third-party content is often sourced using script code, such as JavaScript, in the primary Read more…

Reddit exploited - Shows the world how to respond

Image (1) youbrokeit250.png for post 2861

Last night it was reported that Reddit had been attacked and malicious JavaScript was disrupting the use of the site. In less than 24 hours, Reddit had not only fixed the issue, but had come clean on how it had Read more…