Page 21 - Cyber Warnings
P. 21
Cross-site scripting remains a widespread retail vulnerability
By Alex Lating, Product Marketing Manager, Hexis Cyber Solutions
Believe it or not, an inelegant hack that's been
around for more than a decade is still a prime
vulnerability for retailers.
Cross-site scripting, better known in cybersecurity
circles as XSS, exploits flaws in Web-facing and
cloud-based applications to access business and
customer data.
Major online retailer warned of XSS flaw
An XSS data breach was back in the news recently when an independent researcher discovered
the website of e-commerce giant eBay had the vulnerability.
As Motherboard reported, the security gap allowed hackers to build look-alike login pages in bids to
steal passwords and credentials.
A researcher going by the handle "MLT" went so far as to demonstrate how to exploit the
vulnerability.
He or she built a page that was nearly indistinguishable from the actual eBay login page. A
malicious hacker could have then used phishing emails to lure victims to the trap.
"MLT," to his or her credit, instead informed eBay of the problem and posted the security breach on
a not-for-profit clearinghouse of XSS vulnerabilities.
XSSposed.org boasts an impressive list of flaws volunteers have found at websites whose URLs
you'll recognize, including amazon.com and apple.com. It's a crowd-sourced log of potential
breaches that helps raise awareness and gets companies to close XSS flaws.
In the case of eBay, it took a few days, but company officials fixed the problem before anyone had
exploited the vulnerability, according to Motherboard.
Outdated browsers are a vector for XSS attacks
These days, updated browsers have defenses against XSS attacks, but users out in the wild are
notorious for relying on outdated browsers.
For instance, even now that Microsoft has stopped supporting earlier versions of Internet Explorer,
an alarming number of people and companies continue to use the more easily-breached
predecessors to IE 11.
21 Cyber Warnings E-Magazine – January 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
