Researcher Publishes Details of Amazon.com, MSN Holes


Frustrated with what he calls a lack of response from Microsoft and Amazon.com, a security researcher has gone public with details of flaws on the two companies’ websites.

The flaws could be used by attackers to steal "cookie" data files that would allow them to access Amazon.com and MSN accounts, or to display a fake login page that could be used in phishing attacks, according to Yash Kadakia, the independent security researcher who discovered the flaws.

Although the cross-site scripting flaws he discovered are generally considered to be low-risk problems, Kadakia’s attack involves a technique called carriage return line feed injection, which can be used in a more serious and widespread attack, he said. Researcher Publishes Details of Amazon.com, MSN Holes - Security Feed - Blog - CSO Magazine

Linked by shanmuga Friday, 30th June 2006 1:32AM