The YGN Ethical Hacker Group (YEHG), a small group of ethical hackers from Myanmar, has posted details of cross-site scripting (XSS) vulnerabilities it has found on McAfee.com. As a group of ethical hackers they first informed McAfee of these problems nearly six weeks ago on February 10th 2011. However, since McAfee had not fully resolved the issues, they felt compelled to expose the problems to the public on the full disclosure mailing list.
These revelations are quite embarrassing to Intel, who paid $7.7 billion for the company in August 2010, as McAfee offers a service called McAfee Secure which certifies that sites are free from just these kinds of vulnerabilities.
YEHG has found three types of problem on the McAfee web site.
- XSS vulnerabilities. Cross site scripting can allow attackers to inject client-side script into web pages viewed by other users.
- Internal hostname disclosure.
- Source code disclosure.
Since the revelation, it seems that McAfee has started to remedy the problems as all the source code disclosure URLs given by YEHG have been fixed.