On the day that the company started a PR push for the Zscaler Application Profiler (ZAP), using a Cross-Site Scripting (XSS) flaw discovered in ESPN's ScoreCenter mobile application as a case study, an email started circulating detailing a XSS flaw on Zscaler's very own website.
On Friday afternoon, SecurityWeek received an anonymous email from someone who discovered a XSS flaw in the password reset function of Zscaler's website.
Zscaler is a San Jose, California-based company that provides cloud-based security to enterprises.
"Today zScaler released a press release concerning cross-site scripting (XSS) vulnerabilities on the ESPN website. zScaler is ignoring the proverb that those who live in glass houses shouldn't throw stones," says the email, quoted here in an unedited form.
"Despite their claims of 'Secure. Everywhere', zScalers own service contains multiple similar vulnerabilities to those they highlight on ESPN. The most egregious of these is a trivial cross-site scripting vulnerability on the zScaler login page. Using this vulnerability allows for the theft of zScaler sessions, and combined with another undisclosed vulnerability in their site can be used to steal login credentials for any of zScalers 10 million users worldwide."[...]
As a SecurityWeek reader pointed out, this isn't the first time Zscaler has had an XSS vulnerability with their site. In May 2012, a security researcher found a similar vulnerability with Zscaler's web site, which the researcher did notify them of under responsible disclosure.[...]