Discovering that your site is chock full of security vulnerabilities must be embarrassing for any company, but is surely doubly so when you are a company offering to secure your customers’ websites. According to the e-mail sent to the Full Disclosure mailing list by the YGN Ethical Hacker Group on Monday, this is exactly what happened to McAfee.
The group has discovered a cross-site scripting vulnerability and a number of information disclosure holes on mcafee.com and download.mcafee.com. They notified McAfee on February 10, and the company replied that they were working to resolve the issue as quickly as possible.
Fast forward a month and a half, and a check from the ethical hackers revealed that the vulnerabilities have been fixed only partially. So, they decided to make the matter public on Full Disclosure.
Taking in consideration the fact that McAfee offers the McAfee Secure service to other enterprises, and supposedly scans the sites daily for vulnerabilities, malicious links, phishing, hosted malware and more, this disclosure doesn’t paint a pretty picture of the company’s commitment to security.
“This is a serious lack of diligence with customers and resellers that must not go unnoticed,” commented a Brazilian security researcher in a blog post.
This is not the first time McAfee’s site has been found wanting for security – it was discovered to be open to cross-site scripting attack on a few occasions during the last three years.
The Group advised McAfee to monitor outbound traffic to detect potential information leakage and to make better use of Web security experts that they gained with the acquisition of FoundStone back in 2004.