Archive for May 17th, 2008

Paypal XSSThe Register columns are getting better and better at web security related content.
In one single article, Dan Goodin managed to:

  1. Report an XSS hole in PayPal "safe" area (the wet dream of all XSS kiddies), enabling all sort of profitable scams from credential stealing to automated transactions riding the session of an authenticated user.
  2. Make a very valid point about extended validation SSL certificates being overrated, if not just an expensive joke, because the green bar is more than happy of "certifying" XSS compromised pages as legitimate (obviously): in other words, the perfect phishing works even better if you've got a modern, secure browser supporting EV SSL :)
  3. Deride McAfee's Hacker Safe one more time for its ridiculous stance on XSS vulnerabilities -- OK, that's just beating a dead horse...

Just a little addition of mine: despite PayPal's safe browser nonsense, the browser which can save you from XSS exploitation is only one.

In other news, Remond - The Independent Voice of the Microsoft IT Community, formerly known as the Microsoft Certified Professional Magazine, joined the party of the ASP/MS SQL Server sites SQL Injected to serve JavaScript malware.
Considering the wide coverage this epidemics enjoyed in the past week, I wonder what a "Certified Professional" usually reads aside Microsoft EULAs...

Bad Behavior has blocked 924 access attempts in the last 7 days.