News Stay informed about the latest enterprise technology news and product updates.

Hackers find website vulnerabilities

More than a dozen errors at and its software download site could lead to cross-site scripting or other attacks, according to a group of hackers that discovered the flaws.

A group of white hat hackers has highlighted serious vulnerabilities to security vendor McAfee's website,, pointing out flaws that could lead to information disclosure and other issues.

Vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities.


McAfee Inc.,

The YGN Ethical Hacker Group posted its findings on the Full Disclosure site on Monday. The vulnerabilities were reported to the security giant on Feb. 10, but the group decided to out the vulnerabilities publicly after McAfee appeared to take no action.

The hacking group found more than a dozen vulnerabilities on and McAfee's software download website, including cross-site scripting errors and information disclosure issues. In its message, the group said McAfee responded to its findings saying it was "resolving the issue as quickly as possible." The issue still wasn't completely resolved by March 28, when the group went public with the information.

In a statement, McAfee said the "vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities."

Website vulnerabilities are extremely common. Security vendors have had their websites compromised in the past. In 2009, attackers exploited holes at the Kaspersky Labs customer support website. A number of hackers probed the Kaspersky website after the initial breach was published. The attackers failed to gain access to the customer data. In the past, errors have also been discovered on the corporate websites of Symantec Corp. and F-Secure.

McAfee admitted it was taking longer than expected to correct the flaws. It said the XSS flaw would enable attackers to spoof McAfee, in a worst case scenario. The information disclosure issues to both and its download site would give an attacker information on Web traffic and the website source code, but wouldn't "disclose any proprietary information or any customer information."

"McAfee has strict policies in place for its own websites and for services provided by third parties. Whenever a vulnerability is reported, McAfee strives to address it as soon as possible," McAfee said. "Unfortunately, the process has taken longer than we would have liked in this case. We are investigating the cause of the delay and will adjust our processes if necessary to prevent reoccurrence."

~Robert Westervelt

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.