Articles about cross-site scripting

Wordpress logo

Put down the coffee, stop slacking your app chaps or whatever – and patch Wordpress

Internet scribblers who use WordPress must update their installation of the publishing tool following the disclosure and patching of six security holes. Version 4.7.3 of the content management system includes fixes for the half dozen flaws that could allow for, among other things, cross-site scripting and request forgery …
Shaun Nichols, 7 Mar 2017
Belkin N150 router

Belkin's N150 router is perfect for learning hacking skills – wait, what, it's in production?

Belkin's home routers can be commandeered by hackers, thanks to a Telnet backdoor, a cross-site request forgery (CSRF) vulnerability and other bugs, we're told. Security researcher Rahul Pratap Singh warns that the Belkin N150's builtin web server, provided so users can configure their kit, doesn't perform enough checks on …
Shaun Nichols, 1 Dec 2015

Bargain basement iPhone shoppers BEWARE! eBay exposes users to phishing vuln

eBay bans the use of cross-site scripting on the online tat bazaar because it can open up the site's users to nasty phishing vulnerabilities. And yet, according to the BBC, some auction listings have been exposed to the exploit since February this year. Some users hunting for old iPhones could have been caught up in the …
Team Register, 21 Sep 2014
The Register breaking news

The Grauniad corrects an error on its website

The Guardian has fixed a minor cross-site scripting vulnerability on its website. The flaw, discovered and responsibly disclosed by security researcher Pete Houghton, occurred at the worst possible place on the UK broadsheet's website - right on its login page. Readers use the page to log in and comment on stories. In theory …
John Leyden, 19 Jul 2013
The Register breaking news

PayPal denies stiffing bug-hunting teen on bounty

PayPal has denied that it refused a teenage security researcher a reward for finding a potentially nasty bug on the basis that he was too young. The payments processing firm said that while it had denied the 17-year-old a reward, it was because another researcher had already reported the flaw. Robert Kugler, 17, found a cross- …
John Leyden, 30 May 2013
The Register breaking news

Yahoo! Mail! offers! HTTPS! amid! account! hijack! spree!

Vid Yahoo! is now offering to encrypt its webmail service with HTTPS for security-conscious users. Meanwhile, an exploit that allowed anyone to hijack Yahoo! Mail accounts if victims clicked on a link was being flogged to cybercrims for $700. The HTTPS development, which is not enabled by default, affords Yahoo! webmail users …
John Leyden, 10 Jan 2013
The Register breaking news

Yahoo! email! hijack! exploit!... Yours! for! $700!

A cross-site scripting (XSS) flaw on Yahoo! Mail creates a means to steal cookies and hijack accounts, according to a hacker who is offering to sell an alleged zero-day vulnerability exploit for $700. The cybercrook, who uses the online nickname TheHell, knocked up a video to market the exploit which he is attempting to sell …
John Leyden, 27 Nov 2012
The Register breaking news

'Self-aware' bank account robbing code unleashed by hacker

A hacker has published code for potent cross-site scripting attacks that he claims go beyond the usual cookie stealing and phishing for users' private details. Cross-site scripting (XSS) flaws allow attackers to present content under their control in the context of a vulnerable yet trusted site, thus tricking marks into …
John Leyden, 16 Dec 2011
The Register breaking news

McAfee site crawling with scripting bugs say researchers

Flaws on McAfee's website leave it vulnerable to cross-site scripting and other attacks, security researchers warn. YGN Ethical Hacker Group also discovered various lesser information disclosure bugs on the security firm's website, according to an advisory published on a full disclosure mailing list on Monday. YGN said it …
John Leyden, 29 Mar 2011
The Register breaking news

Password management site plugs info-leak bug

Password management site LastPass has plugged a security hole in its website that created a means to extract the email addresses - though not the passwords - of enrolled users. The cross-site scripting bug meant that logged-in users induced to visit a malicious site would disclose their email addresses and sites associated …
John Leyden, 1 Mar 2011
The Register breaking news

YouTube vuln pwns Justin Bieber fans

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site. The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that …
John Leyden, 5 Jul 2010
The Register breaking news

Researcher shows how to strike back at web assailants

A security researcher has disclosed details on more than a dozen previously unknown vulnerabilities that people responding to web-based attacks can exploit to strike back at online assailants. The bugs reside in off-the-shelf crimeware kits that go by names such as Eleonore, Liberty, Neon, and Yes. Attackers install them on …
Dan Goodin, 17 Jun 2010
channel

Major IE8 flaw makes 'safe' sites unsafe

Exclusive The latest version of Microsoft's Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe. The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed …
Dan Goodin, 20 Nov 2009
The Register breaking news

NHS heals serious spoof email flaw

Updated Cross-site scripting (XSS) vulnerabilities on the National Health Service's website created a means to send spoofed emails with dodgy medical advice. The vulnerabilities, now fixed, also created a potential means to run information-harvesting attacks. Various security shortcomings on the main nhs.uk website established a means …
John Leyden, 27 Aug 2009
The Register breaking news

MoD website outflanked by XSS flaws

Hackers have discovered cross-site scripting (XSS) vulnerabilities on the UK's Ministry of Defence website. The security shortcomings create a means for miscreants or pranksters to present content from a website under their control in a pop-up window that appears to come from the MoD. This class of flaw is very serious on …
John Leyden, 10 Aug 2009
The Register breaking news

MI5 website vuln builds mountain out of molehill

Hackers have uncovered information security shortcomings involving MI5's website, even though the problem is nowhere near as severe as one tabloid paper claims. A breathless Daily Express "exclusive" on Thursday claimed the breach created a possible means for hackers to attack the computers of surfers visiting the security …
John Leyden, 30 Jul 2009
The Register breaking news

StrongWebmail holds up hands to hack, plots further challenge

StrongWebmail has conceded that a group of ethical hackers beat its systems to claim a $10,000 prize, while reiterating its commitment to callback verification technology and plotting a further "hacker challenge". The US start-up was so confident of its claims to provide a secure webmail and calendar service that it challenged …
John Leyden, 10 Jun 2009
The Register breaking news

Hackers scalp StrongWebmail to claim cash prize

Ethical hackers are claiming a $10,000 prize for successfully breaking into the webmail account of the chief exec of StrongWebmail after the firm issued a "hack us if you can" challenge. StrongWebMail runs a callback verification system so that, in theory, even if someone obtains a user's login details they can't read email …
John Leyden, 5 Jun 2009

Create a news alert about cross-site scripting, or find more stories about cross-site scripting.

Biting the hand that feeds IT © 1998–2018