[Infowarrior] - McAfee 'Hacker Safe' cert sheds more cred

Wed Apr 30 02:41:22 UTC 2008

McAfee 'Hacker Safe' cert sheds more cred
Rubber stamp factory exposed
By Dan Goodin in San Francisco → More by this author
Published Tuesday 29th April 2008 23:50 GMT
http://www.theregister.co.uk/2008/04/29/mcafee_hacker_safe_sites_vulnerable/

Comment More than three months after security bugs were documented in more
than 60 ecommerce sites certified by McAfee as "Hacker Safe," a security
researcher has unveiled a fresh batch of vulnerable websites.

Russ McRee, a security consultant for HolisticInfoSec.org, documented
cross-site scripting (XSS) errors in five sites that prominently carry a
logo declaring them to be Hacker Safe. As McRee documented in a blog post
and accompanying video, the bugs make it possible for attackers to steal
authentication credentials and redirect visitors to malicious websites.

All five of the sites subscribe to McAfee's HackerSafe certification
service, which audits the security of websites on a daily basis to give
visitors confidence they'll be safe when doing business there. Yet McRee was
able to find the bugs by using advanced Google searches to pinpoint
vulnerable web applications, and in at least one case, the XSS vulnerability
has been on the customer's site since January.

"There's a responsibility to the consumer that really seems to be missing in
that service," McRee told us. "The average consumer assumes that because I
see that label I must be safe."

The five vulnerable sites include Alsto.com, Delaware Express, BlueFly,
Improvements Catalog and Delightful Deliveries. We asked all five for
comment but only one of them, Delightful Deliveries, responded. "As the #1
leading seller of Gift Baskets, security is a top priority to us and our
customers, we will work with HackerSafe and our development team to resolve
this issue," a representative said. He is unaware of any breaches affecting
the site, he added.

A McAfee spokeswoman said the company rates XSS vulnerabilities less severe
than SQL injections and other types of security bugs. "Currently, the
presence of an XSS vulnerability does not cause a web site to fail
HackerSafe certification," she said. "When McAfee identifies XSS, it
notifies its customers and educates them about XSS vulnerabilities."

These are only the latest Hacker Safe sites to be outed. In January,
researchers from XSSed.com, documented 62 websites subscribing to the
service that were vulnerable to XSS vulnerabilities. A Hacker Safe spokesman
told InformationWeek at the time the bugs couldn't be used to hack a server.

The vulnerabilities also raise the question of so-called payment card
industry (PCI) requirements for businesses that process credit card
payments. Websites that contain XSS vulnerabilities almost certainly don't
comply, McRee says, and yet most of the sites continue to accept credit
cards. But we'll leave deficiencies in that set of requirements for another
day.

McAfee has had three months to fix the deficiencies of this program, but so
far we see no evidence it's done so. We're all for services that help
websites stay on top of rapidly moving security threats. But there's a term
for programs that declare their customers Hacker Safe while failing to catch
easily spotted XSS flaws. It's called a rubber stamping, and it's time it
stopped. ®