Hackers expose holes in McAfee website

 

Gallery

By Barry Collins

Posted on 6 May 2009 at 08:03

Security firm McAfee has been left with egg on its face after it was revealed the company's own website was susceptible to phishing attacks.

Various parts of the McAfee website were vulnerable to cross-site scripting (XSS) attacks, claims a detailed report on Read Write Web.

Perhaps the most serious was a XSS flaw in the McAfee Secure site - a service that supposedly certifies the security of third-party websites so that consumers know who to trust when shopping online.

The vulnerability could have allowed hackers to take control of customer accounts, even though the site was still bearing the McAfee Secure logo. Sites sporting the logo are meant to be scanned daily for security flaws, suggesting that either McAfee wasn't scanning its own website or that the flaw wasn't detected.

The attackers were also able to squirt HTML code into the McAfee Rebate Center, which would allow them to redirect McAfee customers to a phishing site.

A cross-site scripting attack on a security company is particularly serious, because customers place a great deal of trust in security firms and are often prepared to run applications from such sites.

McAfee was unavailable for comment at the time of publication, but in a statement sent to Cnet.com, the company claims: "McAfee has strict policies in place for its own websites and for services provided by third parties. We are investigating how these particular vulnerabilities were not identified in our screening process and will adjust our processes if necessary."