informa
3 min read
article

'Hacker Safe': Safe for Hackers

Hackers are finding a home in 'Hacker Safe'-certified Websites

The hackers at sla.ckers.org are at it again, and this time they have found cross-site scripting (XSS) vulnerabilities on a dozen or so Websites emblazoned with ScanAlert's "Hacker Safe" seal. (See Hackers Reveal Vulnerable Websites and Two Vendors Deny XSS Flaws.)

Sla.ckers started hitting Hacker Safe-branded sites this week in an effort to disprove the seal's claim of a 99.9 percent hacker-prevention rate. "They are still vulnerable to the oh-so-common XSS," says sla.ckers.org member kyran, who has found most of the vulnerabilities in the sites. "So far it has been all XSS, but there are probably similar vulnerabilities, such as CSRF and SQL injection."

Among the Hacker Safe-certified sites exposed with XSS holes so far are Triton Health, Carparts Wholesale, Usenext, Shoppers Choice, Lifesource Water, and Gold Nutrition Store.

Daniel Patterson, lead Webmaster for Shoppers Choice, says his company has since corrected the XSS vulnerability on its site and will be looking for other potential bugs. "It was surprising -- we thought we had fixed the problem a while back," Patterson says. "It is also surprising that Hacker Safe apparently had not notified us of a seemingly popular method for XSS."

Joseph Pierini, director of enterprise services for ScanAlert, says the affected sites had been alerted previously about these vulnerabilities. So why did they get the Hacker Safe label if they didn't comply?

"The appearance or absence of the Hacker Safe certification mark on a Website is based on the presence of vulnerabilities that affect server-side data integrity. Customers are given 72 hours in which to remediate the vulnerability," he says. "Some vulnerabilities result in immediate removal of the Hacker Safe certification logo."

ScanAlert, which provides a combination of port scanners, penetration testing, and Web application vulnerability testing services, says it applauds any research demonstrating the "seriousness" of XSS.

ScanAlert has some big-name Hacker Safe customers: A&E Television Networks, Ace Hardware, American Red Cross, Fidelity National Financial, General Nutrition Centers, HP, Johnson & Johnson, NIKE, Northrop Grumman, PETCO, Ritz Camera, Sony, The Sports Authority, The World Bank, U-Haul, Visa, Warner Brothers, and Yahoo. None of these companies were found to have vulnerabilities by sla.ckers.org.

So what does this mean for the Hacker Safe seal? "It seems either the Hacker Safe scans are ineffective, or they don't see it as a threat," kyran says. "I expect that if I keep searching for those sites, I will find XSS in them."

Jeremiah Grossman, CTO of White Hat Security, which provides Website and application vulnerability scanning along with analysis from its security experts, says there's no way to find all XSS vulnerabilities on a Website by scanning alone.

RSnake, founder of ha.ckers.org and sla.ckers.org, says his own research has uncovered some vulnerability issues that ScanAlert missed. "I don't think Hacker Safe sites are any safer than non-Hacker Safe sites, despite their claim," he says. "Online consumers should take the same care when shopping at ScanAlert-certified sites as any other online retailer."

Meanwhile, sla.ckers hacker kyran says it's unclear if the problem is with XSS or with ScanAlert. "Whether this is because the scan is ineffective, or because XSS is more prevalent than we previously thought -- in my mind, that is still to be decided."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • ScanAlert Inc.