A cross-site scripting (xss) vulnerability may be exploited by hackers to bypass access controls going beyond the exceptions.
An Egyptian information security advisor Ebrahim Hegazy (Zigoo) has found an XSS vulnerability in the Avira license daemon. license.avira.com
But instead of exploiting it in a normal way "alert('MyName')"
stuff and then reporting, He decided to demonstrate it to Avira security
team in a different mode with the purposes to show how could an XSS
vulnerability allows the hackers to steal user accounts with a clear text data!
To demonstrate this attack he has created 4 files:
- avira.html - the fake login page
- log.php - the logger which will log the credentials as clear text into txt file
- avira.txt - credentials will be found here
- done.html - will show a congratulation message to fool the users
According to Ebrahim Hegazy, Avira team responded promptly and fixed the
flaw in short time. For those who consider XSS vulnerability as low
severity vulnerability, now you can change your opinion.
Credits: Ebrahim Hegazy is an information security advisor
@Starware Group, acknowledged by Google, Microsoft and Ebay for finding
and reporting multiple vulnerabilities in their applications.
No comments:
Post a Comment