Vulnerabilities found on website


Vulnerabilities found on website Staff

A group of white hat hackers has highlighted serious vulnerabilities to security vendor McAfee's website,, pointing out flaws that could lead to information disclosure and other issues.

The YGN Ethical Hacker Group posted its findings on the Full Disclosure site on Monday. The vulnerabilities were reported to

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

the security giant on Feb. 10, but the group decided to out the vulnerabilities publicly after McAfee appeared to take no action.

The hacking group found more than a dozen vulnerabilities on and McAfee's software download website, including cross-site scripting errors and information disclosure issues. In its message, the group said McAfee responded to its findings saying it was "resolving the issue as quickly as possible." The issue still wasn't completely resolved by March 28, when the group went public with the information.

Vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities.

McAfee Inc.

In a statement, McAfee said the "vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities."

Website vulnerabilities are extremely common. Security vendors have had their websites compromised in the past. In 2009, attackers exploited holes at the Kaspersky Labs customer support website. A number of hackers probed the Kaspersky website after the initial breach was published. The attackers failed to gain access to the customer data. In the past, errors have also been discovered on the corporate websites of Symantec Corp. and F-Secure.

McAfee admitted it was taking longer than expected to correct the flaws. It said the XSS flaw would enable attackers to spoof McAfee, in a worst case scenario. The information disclosure issues to both and its download site would give an attacker information on Web traffic and the website source code, but wouldn't "disclose any proprietary information or any customer information."

"McAfee has strict policies in place for its own websites and for services provided by third parties. Whenever a vulnerability is reported, McAfee strives to address it as soon as possible," McAfee said. "Unfortunately, the process has taken longer than we would have liked in this case. We are investigating the cause of the delay and will adjust our processes if necessary to prevent reoccurrence."

~Robert Westervelt