25 ‘VeriSign Trusted’ shops found to have XSS holes

25 'VeriSign Trusted' shops found to have XSS holes

VeriSign trusted logoA grey hat hacker has discovered cross-site scripting (XSS) holes in 25 UK online stores that are certified as safe by the likes of VeriSign, Visa, and MasterCard.

According to Softpedia, the XSS holes were found by a grey hat hacker named ‘Freedom’ who in the past has identified other such vulnerabilities in “some important websites.”

XSS vulnerabilities allow a wide spectrum of attack. These can include intercepting session cookies to steal sensitive information, including authentication credentials or billing info without the victim’s knowledge, or posting of messages with malicious payloads to a social network that then enable theft of victims’ session cookies and subsequent hijacking of sessions and impersonation of victims.

Here’s what Freedom had to say:

25 of these big sites all run the same script and it was not hard to find them all using a home made "Google dork". They try to filter the search on the main pages but then when you search for something that is well not there it then allows you to search again and this one has no limit to characters and very lil filtering.

A person with 5 mins of looking at XSS could make these sites fall to the knees and well do alot of damage to the reputations of these sites.

Sophos researchers advise taking that one with a grain of salt. While XSS attacks can in fact cause quite a bit of damage, they vary so widely in implementation and collateral damage that it’s impossible to back up this type of kick-your-knees-off claim without a detailed, independent, expert review of the discovered attacks.

At any rate, Freedom handed over screenshots that Softpedia said prove the presence of security gaps in sites including House of Fraser, Jacamo, Fashion World, Premier Man, Williams and Brown, Marisota, Ambrose Wilson, Viva la Diva, Fifty Plus, and High and Mighty.

The affected websites bear security logos from VeriSign Trusted, Internet Shopping is Safe, Internet Delivery is Safe, Verified by Visa, and MasterCard SecureCode.

The Softpedia article didn’t mention that these sites have been hacked yet, mind you – just that the vulnerabilities exist.

As VeriSign’s Trusted Seal division is now owned by Symantec, it seemed somehow appropriate to plug in one URL, for The Brilliant Gift Shop, into Symantec’s Norton Safe Web link checker, which found no threats.

Norton Safe Web link checker results

That doesn’t mean much of anything, however. As Sophos security expert Ross McKerchar noted, such scanning tools don’t discover all web vulnerabilities, and they’ll tell you in small print that they offer no such guarantee.

Upon looking these sites up, I also noted that many of the affected websites reported by Freedom have near-identical layouts. This points to the sites sharing some level of infrastructure, be it template, host or designer, meaning the weaknesses may be less than random.

Here’s Freedom’s take:

I have never in all my time found a script so poor been used by so many big brands.

But it tells me one thing they are all copy cats and think ohhh well if they use it, it must be secure and don't get it checked over, just slap it online and let users use code that is well pants.

Softpedia also mentioned similar XSS flaws being evident in online shops including JD Williams, Heather Valley, Classic Confidence, Nightingales, Simply Yours, That’s My Style, Home Essentials, Oxendales, Naturally Close, House of Bath, Classic Detail, The Brilliant Gift Shop, Crazy Clearance, Feel Good Essentials, and Simply Be.

As Sophos’s Ross McKerchar noted, these seals can lull people into a false sense of security. It’s just one more instance of how we expect security to be a binary matter: a simple choice between a nice green tick for secure and a crimson X for “get out of here!”

Unfortunately, security seals don’t amount to red on one end and green on the other end of the safety spectrum. They really only stand for a rainbow of grey.

While the security seal services check that you’ve locked the front door, they’re no guarantee of, or substitute for, security best practices.