Skip to main content

shame-ostracism-blogs-and-xss-flaws

(0 comments)

There is an excellent post on Security Fix Blog about cross-site scripting flaws at major financial institutions pointed out by Lance James (author Phising Exposed.

The article will be eye-opening for most readers of the WaPo, as it is known in the blogosphere and old news for poeple in the industry. What caught my eye was the update:

Update, 12:24 p.m. ET: I've heard from a few people who were concerned that I was pointing out links to live exploits in the pictures in this blog post. Rest assured that in any of the pictures above, I have only included a view of the address bar in cases where the featured institution had already fixed the problem.

The verbiage is carefully chosen: "I have only included a view of the address bar in cases where the featured institution had already fixed the problem". That means that pictures without the address bar still have the problem! Sure enough, I checked the Amex.com XSS vulnerability and it is still there.

Did the WaPo and Security Fix let the financial institutions know they would be doing a blog post about flaws on their site? If it was going to be a front-page, business section piece, I'm sure they would have. Would they then have fixed the problem? Would the shame of a major flaw being published in major US newspaper have been enough to get Amex to fix the flaw? I hope that Security Fix does a follow up piece noting who had fixed their flaws and who has not.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom