#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

XSS vulnerability | Breaking Cybersecurity News | The Hacker News

Category — XSS vulnerability
Vulnerabilities in 'All in One SEO Pack' Wordpress Plugin Put Millions of Sites At Risk

Vulnerabilities in 'All in One SEO Pack' Wordpress Plugin Put Millions of Sites At Risk

May 31, 2014
Multiple Serious vulnerabilities have been discovered in the most famous ' All In One SEO Pack ' plugin for WordPress, that put millions of Wordpress websites at risk. WordPress is easy to setup and use, that's why large number of people like it. But if you or your company is using ' All in One SEO Pack ' Wordpress plugin to optimize the website ranking in search engines, then you should update your SEO plugin immediately to the latest version of All in One SEO Pack 2.1.6 . Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service. More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization. Acco...
Worst Day for eBAY, Multiple Flaws leave Millions of Users vulnerable to Hackers

Worst Day for eBAY, Multiple Flaws leave Millions of Users vulnerable to Hackers

May 23, 2014
It's not been more than 36 hours since eBay revealed it was hacked and we just come to know about three more critical vulnerabilities in eBay website that could allow an attacker to compromise users' account once again, even if you have already reset your account password after the last announcement. Yesterday eBay admitted to the massive data breach that affected 145 million registered users worldwide after its database was compromised. eBay urged its 145 million users to change their passwords after the cyber attack, but are passwords enough? eBay Data breach happened mainly because of their vulnerable infrastructure, not weak passwords. I think eBay's morning just going to be bad to worse as today, three Security researchers came forward with three more different types of critical flaws in eBay website that leave its 145 million users vulnerable to hackers. HACKER UPLOADED SHELL ON eBAY SERVER (UNPATCHED) A critical security flaw in the eBay website for i...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
Feedly Android App Javascript Injection vulnerability exposes Millions of Users to Hackers

Feedly Android App Javascript Injection vulnerability exposes Millions of Users to Hackers

Apr 20, 2014
When it comes to Android apps, even the simplest app could greatly compromise your privacy and security. Injecting malicious JavaScript into Android applications has drawn an increased attention from the hacking community as its market share spikes. According to security researcher Jeremy S. from Singapore, a critical vulnerability in the Feedly app left millions of android app users vulnerable to the JavaScript infections. Feedly is a very popular app available for iOS and Android devices, also integrated into hundreds of other third party apps, which offers its users to browse the content of their favourite blogs, magazines, websites and more at one place via RSS feed subscriptions. According to Google Play Store, more than 5 Million users have installed Feedly app into their Android devices. In a blogpost , the researcher reported that Feedly is vulnerable to JavaScript injection attack, which is originally referred as 'cross-site scripting' or XSS vulnerability, allows...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Vulnerability in World Largest Video Site Turned Million of Visitors into DDoS Zombies

Vulnerability in World Largest Video Site Turned Million of Visitors into DDoS Zombies

Apr 03, 2014
An application layer or 'layer 7' distributed denial of service ( DDoS ) attacks is one of the most complicated web attack that disguised to look like legitimate traffic but targets specific areas of a website, making it even more difficult to detect and mitigate. Just Yesterday Cloud-based security service provider ' Incapsula ' detected a unique application layer DDoS attack, carried out using traffic hijacking techniques. DDoS attack flooded one of their client with over 20 million GET requests, originating from browsers of over 22,000 Internet users. What makes this case especially interesting is the fact that the attack was enabled by persistent XSS vulnerability in one of the world's largest and most popular site - one of the domains on Alexa's " Top 50 " list. XSS  vulnerability  to Large-Scale DDoS Attack Incapsula has not disclosed the name of vulnerable website for security reasons, but mentioned it as a high profile video content provid...
Hacking Gmail accounts with password reset system vulnerability

Hacking Gmail accounts with password reset system vulnerability

Nov 22, 2013
Oren Hafif , a security researcher has discovered a critical vulnerability in the Password reset process of Google account that allows an attacker to hijack any account. He managed to trick Google users into handing over their passwords via a simple spear-phishing attack by leveraging a number of flaws i.e. Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass. In a proof of concept video demonstration, the attacker sends his victim a fake " Confirm account ownership " email, claiming to come from Google. The link mention in the mail instructs the recipient to confirm the ownership of the account and urged user to change their password. The link from the email apparently points to a HTTPS  google.com URL, but it actually leads the victim to the attacker's website because of CSRF attack with a customized email address. The Google HTTPS page will will ask the victim to confirm the ownership by entering his last password and then w...
PayPal denies to pay Bug Bounty reward to teenager

PayPal denies to pay Bug Bounty reward to teenager

May 28, 2013
When coders and online security researchers find errors in websites or software, the companies behind the programs will often pay out a bounty to the person who discovered the issue. The programs are intended to create an incentive for researchers to privately report issues and allow vendors to release fixes before hackers take advantage of flaws. A 17-year-old German student says he found a security flaw in PayPal's website but was denied a reward because he's too young. On PayPal's website, the company lists the terms for rewarding people who find bugs, but mentions nothing about the age of the discoverer.  The details of the vulnerability, i.e cross-site scripting flaw (XSS), is posted on Full Disclosure section. In Past we have seen that many times PayPal tried to cheat with new security researchers by replying various reasons on reporting bugs i.e "already reported by someone else", "domain / sub-domain is not under bounty program", ...
Hacking Facebook users just from chat box using multiple vulnerabilities

Hacking Facebook users just from chat box using multiple vulnerabilities

Apr 17, 2013
Nir Goldshlager , Founder/CEO at Break Security known for finding serious flaws in Facebook once again on The Hacker News for  sharing his new finding i.e Stored Cross-site Scripting (XSS) in Facebook Chat, Check In and Facebook Messenger. Stored Cross-site Scripting ( XSS ) is the most dangerous type of Cross Site Scripting. Web applications where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc 1.) Stored XSS In Facebook Chat: This vulnerability can be used to conduct a number of browser-based attacks including, Hijacking another user's browser, Capturing sensitive information viewed by application users, Malicious code is executed by the user's browser etc. When a user starts a new message within Facebook that has a link inside, a preview GUI shows up for that post. The GUI is used for presenting the link post using a parameter i.e  attachment[params][title]...
Minor flaw allows Hacker to hijack Avira Antivirus customers accounts

Minor flaw allows Hacker to hijack Avira Antivirus customers accounts

Apr 12, 2013
Cross site scripting vulnerabilities are mistakenly considered unimportant, but they could allow attackers to inject client-side script in web pages visited by victims. A cross-site scripting (xss) vulnerability may be exploited by hackers to bypass access controls going beyond the exceptions. An Egyptian information security advisor Ebrahim Hegazy (Zigoo) has found an XSS vulnerability in the Avira license daemon. license.avira.com But instead of exploiting it in a normal way " alert('MyName') " stuff and then reporting, He decided to demonstrate it to Avira security team in a different mode with the purposes to show how could an XSS vulnerability allows the hackers to steal user accounts with a clear text data! To demonstrate this attack he has created 4 files: avira.html - the fake login page log.php - the logger which will log the credentials as clear text into txt file avira.txt - credentials will be found here done.html - wi...
AirDroid vulnerability allows hackers to perform Dos attack from your Android device

AirDroid vulnerability allows hackers to perform Dos attack from your Android device

Apr 09, 2013
A vulnerability in AirDroid application  which provides wireless management of your Android phone or tablet from any browser on the same Wi-Fi network allow hackers  to perform Dos attack from your Android device. Cross Site scripting or  XSS vulnerability in the browser version of AirDroid allows an attacker is able to send a malicious text message to the browser associated with the account when attacker is able to get access to a phone with AirDroid installed. According to advisory posted by US-Cert , When this message is viewed on the AirDroid web interface an attacker can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service on the host computer. Vulnerability is currently not patched and also AirDroid team didn't annouce any update regarding fix. As a general good security practice, only allow connections from trusted hosts and network...
First week at MEGA Bounty Program, paid out thousands of dollars for seven Bugs

First week at MEGA Bounty Program, paid out thousands of dollars for seven Bugs

Feb 11, 2013
One week after launching a Bug bounty program by the Kim Dotcom 's new file-storage and sharing service MEGA claims to have fixed seven vulnerabilities. Although Mega hasn't shared how much money and to whom it paid out in the first week. But as promised, it is clear that MEGA paid out thousands of dollars in bug bounties during the first week of its security program. We found bug hunter yesterday (tweeted)- Mr.  Frans Rosén received 1000 Euros in the bug fixing challenge. This tweet was also Re-tweeted by Kim Dotcom later, that confirmed Frans's class III bugs reward. Congratulations @ fransrosen for XSS in #MEGA . Handsome EUR 1000 in Bug Bounty Program twitter.com/fransrosen/sta… — The Hacker News™ (@TheHackersNews) February 10, 2013 In a blog post, Mega explained how it classifies vulnerabilities and their impacts. Vulnerabilities were classified into VI classes, with I being the lowest risk and VI being the highest. Seven qualified bug details are as shown...
nCircle patches PureCloud vulnerability scanner on Vulnerability-Lab report

nCircle patches PureCloud vulnerability scanner on Vulnerability-Lab report

Jan 29, 2013
The Vulnerability-Laboratory Research Team discovered persistent and client side POST Injection web vulnerability in the nCircle PureCloud (cloud-based) Vulnerability Scanner Application. The vulnerability allows an attacker to inject own malicious script code in the vulnerable module on application side. Benjamin K.M. from Vulnerability-Laboratory provide more technical details about these flaws, the first vulnerability is located in the Scan Now > Scan Type > Perimeter Scan > Scan section when processing to request via the ` Scan Specific Devices - [Add Devices] ` module and the bound vulnerable formErrorContent exception-handling application parameters. The persistent injected script code will be executed out of the `invalid networks` web application exception-handling. To bypass the standard validation of the application filter the attacker need to provoke the specific invalid networks exception-handling error. In the second ste...
Red Hat patches multiple web application Vulnerabilities

Red Hat patches multiple web application Vulnerabilities

Jan 04, 2013
RED HAT has fixed multiple web application security issues that allowed hackers to extract website database using Blind SQL injection. Red Hat also confirmed a cross site scripting and Local File Inclusion Vulnerabilities on their website. Mohamed Ramadan Security Researcher and Trainer Attack-Secure , told ' The Hacker News ' that last year he reported 3 flaws to the company and they finally confirm and patch those in January 2013. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather than getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. Local file inclusion is a vulnerability that allows the attacker to read files, that are stored locally through the web application.This happens because the code of the application does not pro...
Yahoo data leak by Virus_Hima, Why do we need a proactive security?

Yahoo data leak by Virus_Hima, Why do we need a proactive security?

Dec 17, 2012
In November I was contacted for first time by the Egyptian Hacker named ViruS_HimA who announced me to have hacked into Adobe servers and leaked private data. The hacker violated Adobe servers gaining full access and dumping the entire database with more of 150,000 emails and hashed passwords of Adobe employees and customers/partner of the firm such as US Military, USAF, Google, Nasa DHL and many other companies. ViruS_HimA specifically addressed the inefficient and slow patch management process that leaves exposed for long period "big companies".  " When someone report vulnerability to them, It take 5-7 days for the notification that they've received your report!! It even takes 3-4 months to patch the vulnerabilities! Such big companies should really respond very fast and fix the security issues as fast as they can ." Like , we reported two days before that one month old reported critical vulnerability of account hijacking in Outlook and Hotmail  is sti...
Exclusive : Hacking Hotmail and Outlook accounts using Cookie reuse vulnerability

Exclusive : Hacking Hotmail and Outlook accounts using Cookie reuse vulnerability

Dec 14, 2012
This Friday I was working with my co-security researcher " Christy Philip Mathew " in +The Hacker News  Lab for testing the Cookie Handling Vulnerabilities in the most famous email services i.e Hotmail and Outlook. Well, both are merged now and part of the same parent company - Microsoft, the software giant.  Vulnerability allows an attacker to Hijack accounts in a very simple way, by just exporting & importing cookies of an user account from one system to attacker's system, and our results shows that even after logout by victim, the attacker is still able to reuse cookies at his end. There are different way of stealing cookies, that we will discuss below. In May 2012, another Indian security researcher Rishi Narang claimed similar vulnerability in Linkedin website. Vulnerability Details Many websites including Microsoft services uses cookies to store the session information in the user's web browser. Cookies are responsible for main...
XSS vulnerability in 4shared and NATO Multimedia Library Exposed

XSS vulnerability in 4shared and NATO Multimedia Library Exposed

Nov 28, 2012
Inj3ct0r Team found cross site scripting vulnerability in  4shared , a file sharing site. Vulnerability link is exposed in a note  available at their website.  In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim. Also same hackers claiming to get access over a private server of NATO Library and expose the links online. Website titled " NATO Multimedia Library Online Catalog ". Inj3ct0r member told The Hacker News , " We found another secret NATO server. We received a root on the server and gave the world the hidden database to NATO personnel. Now everyone can look for a secret document ." These three servers are available online without authorization, but its not confirm that servers got hacked or not.
Expert Insights / Articles Videos
Cybersecurity Resources