According to the site Nemesis / t3am3lite, Symantec has joined the ranks of sites that are susceptible to cross site scripting (XSS) attacks including iframe URL injection.
Um, oops.
From The Register:
The XSS, or cross-site scripting, bugs allow attackers to steal the web cookies Symantec sets on visitors’ hard drives. Such cookies are frequently used to prove a visitor has already entered a valid password, so the ability to lift the file could be a non-trivial lapse of Symantec’s security.
Other exploits showed it was possible to inject images from third-party websites such as imageshack.us. They were documented by a hacking collective that calls itself t3am3lite. Less-charitable hackers could exploit the hole to inject javascript or other types of code that exploits unpatched vulnerabilities or carries out other malicious acts.
For a collection of screen shots from the XSS bugs check out the Nemesis site. According to the site, Symantec has in fact been contacted about this problem and they’re working on it.
At the time of this posting the bugs were still live.
