Hacker Safe, Web Sites Found Vulnerable

More than 60 Web sites certified to be "Hacker Safe" by McAfee's ScanAlert service have been vulnerable to cross-site scripting (XSS) attacks over the past year, including the ScanAlert Web site itself. While the XSS hole in the ScanAlert site and others have been addressed, some apparently have not been, leaving visitors potentially vulnerable to client-side attacks.

Joseph Pierini, director of enterprise services for the ScanAlert "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server.

Still, Kevin Fernandez and Dimitris Pagkalos, two computer scientists who maintain XSSed.com, a site that has been tracking XSS vulnerabilities since February 2007, provided InformationWeek with a list of 62 Web sites certified as "Hacker Safe" on which XSS holes have been reported. The list includes brookstone.com, cafepress.com, cduniverse.com, gnc.com, mysecurewallet.nl, petsmart.com, and sportsauthority.com, among other familiar brands.

The XSSed.com site tracks whether reported XSS flaws have been fixed, but such information may not be accurate if the site making the repairs, or the initial discoverer of the hole, fails to report the fix.

Fernandez said the sites on his list displayed a "Hacker Safe" badge at the time XSS holes were identified. While some of these vulnerabilities have since been addressed, security researchers report that some sites currently certified as "Hacker Safe" also are currently vulnerable to XSS attacks.