Wednesday, February 29, 2012 0 comments
An Indian security researcher Shadab Siddiqui has found some big website vulnerable to XSS attack. He shown some screenshot of the attack on the websites, he got vulnerable.
Shadab found vulnerabilities in Red Hat, Udemy, NEC websites. I personally know this indian talent who possesses several global certifications such as CEH and ECSA. Shadab has also works some Indian companies on security related works. He do not believe on defacing websites and works hard to make websites and server secure from hackers.
He had shown XSS vulnerabilities on a sub domain of Red hat, official sites of NEC (nec.com) and Udemy (udemy.com).
The site owned by NEC, the company supplying government agencies and private sector companies with IT services, equipment and products for platforms and carrier networks, turns out to be highly vulnerable. While Udemy is a growing hub for online education.
“It’s quite vulnerable. It had many other vulnerabilities like directory listing, file upload vulnerability etc, but after I informed them about the vulnerability they patched it, but didn’t even had the courtesy to reply me with a thanks,” Siddiqui told me about the Udemy vulnerability.
He also mentioned some vulnerabilities on Ask and AOL which was also shown by TeamHav0k.
“XSS vulnerabilities are both unsurprisingly common and usually quite easy to spot(in most cases). Despite the situation, XSS isn’t often concerned as a dangerous security risk. There are different types of XSS like non-persistent, persistent, DOM based,” he explained.
Shadab also told me that there are many indian government websites which are very vulnerable but no one in India cares. He also contacted to many government agencies like DOAECC about the security issues. According to him, Indian software companies which works on government projects do not care for security but they get the work with the power of many and profile. He do not want to mention the name of any government vulneraable website because it may give hackers a chance to attack.
He also promised to come up with some more security related issues in the near future.