Frustrated by the indifference and lack of accountability from Microsoft and Amazon, a security researcher has disclosed details about security vulnerabilities found on the websites of both companies.
Yash Kadakia, an independent security researcher, is the individual who discovered these security flaws.
According to this researcher, these vulnerabilities could be exploited by hackers to steal cookie data files, allowing them to gain access to accounts on Amazon.com and MSN.com or to display a spoofed login page for the purpose of online phishing attacks.
The vulnerabilities identified by Kadakia are categorized as cross-site scripting (XSS) flaws. These security issues are considered to have a moderate level of danger.
 |
Security flaw on MSN exploited by Kadakia |
However, the test attacks conducted by this expert used a technique known as CRLF (Carriage Return Line Feed) Injection. This technique can be employed in more dangerous attacks with broader implications.
Kadakia reported this security flaw to Microsoft about a year ago. Similarly, the vulnerability found on Amazon.com was discovered back in December of last year but has yet to be fixed. For this reason, last weekend, the independent security researcher decided to escalate the issue by publishing images of the exploited vulnerabilities on his personal website. This move by Kadakia may aim to draw the attention of Microsoft and Amazon, urging them to address the aforementioned security flaws.
 |
Security flaw on Amazon exploited by Kadakia |
Shortly thereafter, a spokesperson for Microsoft stated that the company is currently investigating the security flaws identified by Kadakia. Meanwhile, Amazon has yet to provide any official comments.
However, Kadakia mentioned that both Amazon and Microsoft are working to resolve these security vulnerabilities.
Similar web security vulnerabilities to those discovered by Kadakia have existed and been identified on the Internet for some time. However, hackers have primarily focused on exploiting vulnerabilities within operating systems. Now that these operating system vulnerabilities are becoming harder to detect, hackers are beginning to return to exploring new areas, including web applications. Consequently, more web security vulnerabilities are being discovered.
Earlier this month, a computer worm launched a significant attack on Yahoo’s webmail server. Dubbed JS.Yamanner@m, this worm has not caused widespread damage, but it has drawn attention to vulnerabilities in web applications.
The slow response from Microsoft and Amazon indicates that web security vulnerabilities are still not receiving the attention they deserve. These vulnerabilities exist on websites considered among the best in the world.
Hoàng Dũng
