Tuesday, January 5, 2010

XSS Flaws in Twitter and Google Calendar

Darknet has the details on additional cross-site scripting flaws recently discovered in both Twitter and Google Calendar.

While the latest vulnerabilities were reported and rapidly remediated, how could they possibly exist, given the pounding web sites took in 2009 due to unmitigated XSS issues?

Are web-based application providers not routinely scanning their internet points-of-presence as part of their vulnerability management programs? Or are they turning around code changes and feature updates so rapidly that their change management practices suffer and there's not enough testing performed prior to moving code from QA?

Ah, the joys of attempting to secure cloud computing.

As vendors push more offerings from the desktop to the cloud, you'll see attackers moving there too. It is more likely that crooks will try to find one of the thousands of windows unlocked, allowing them to steal valuable data unseen, than it will be for them to try to kick down the door like they did five years ago.

Willie Sutton never actually responded to the question of why he robbed banks with, "Because that's where the money is!", but know this: Attackers don't waste time and money on an exploit unless the return is favorable.

When sites are vulnerable, it's an open invitation to unwanted activity. Expect the bad guys to take advantage.

No comments:

Post a Comment

Please tell me what you think.