A group of white hat hackers has highlighted serious vulnerabilities to security vendor McAfee's website, McAfee.com, pointing out flaws that could lead to information disclosure and other issues.
Vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities.
The YGN Ethical Hacker Group posted its findings on the Full Disclosure site on Monday. The vulnerabilities were reported to the security giant on Feb. 10, but the group decided to out the vulnerabilities publicly after McAfee appeared to take no action.
The hacking group found more than a dozen vulnerabilities on McAfee.com and McAfee's software download website download.McAfee.com, including cross-site scripting errors and information disclosure issues. In its message, the group said McAfee responded to its findings saying it was "resolving the issue as quickly as possible." The issue still wasn't completely resolved by March 28, when the group went public with the information.
In a statement, McAfee said the "vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities."
Website vulnerabilities are extremely common. Security vendors have had their websites compromised in the past. In 2009, attackers exploited holes at the Kaspersky Labs customer support website. A number of hackers probed the Kaspersky website after the initial breach was published. The attackers failed to gain access to the customer data. In the past, errors have also been discovered on the corporate websites of Symantec Corp. and F-Secure.
McAfee admitted it was taking longer than expected to correct the flaws. It said the XSS flaw would enable attackers to spoof McAfee, in a worst case scenario. The information disclosure issues to both McAfee.com and its download site would give an attacker information on Web traffic and the website source code, but wouldn't "disclose any proprietary information or any customer information."
"McAfee has strict policies in place for its own websites and for services provided by third parties. Whenever a vulnerability is reported, McAfee strives to address it as soon as possible," McAfee said. "Unfortunately, the process has taken longer than we would have liked in this case. We are investigating the cause of the delay and will adjust our processes if necessary to prevent reoccurrence."