20 Oct 2006
Two or three years ago I was demonstrating potential pitfalls to fellow developers and spotted a basic cross-site scripting vulnerability in a major UK retailer’s web site. As far as I could tell without further poking around, it’d let someone create a fake page on that domain, maybe steal login details, ask to install software, etc., the usual stuff. At the simplest level, a phisher could create a “GET [LATEST HOT GAMES CONSOLE] FOR 50 POUNDS” page asking for credit card details and spam the legitimate-looking URL out to thousands of people.
So I did the decent thing and tactfully emailed the technical staff. Within days I got a somewhat stern reply from a manager saying they’re well aware of such issues and take security very seriously. Strong “go away and mind your own business” vibes.
Recently I noticed that it’s still wide open. One added function call would sort it out but hey, they’re aware of such issues and take security very seriously, right?
Another high street retail group had the same problem across three or four domains, and only sent an automated reply. Yet another failed to respond. Have a guess as to whether those sites have been fixed.
Many large organisations aren’t interested in hearing bad news, and nowadays having anything to do with IT vulnerabilities makes you far too vulnerable, so I now only report flaws in sites built by people I know. If you’re braver than me, test a whole load of e-commerce sites for XSS (hint: type
<marquee> into the search box), write a scaremongering report about companies not keeping online Christmas shoppers safe, and cash in on the press attention. Just don’t blame me if an idiotic IT manager accuses you of hacking.