The failure of major Web sites to fix an old but serious security flaw has prompted the Computer Emergency Response Team to issue a new warning to Internet users: Self-defense may be your only protection against privacy- and security-stealing cross-site script . . .
The failure of major Web sites to fix an old but serious security flaw has prompted the Computer Emergency Response Team to issue a new warning to Internet users: Self-defense may be your only protection against privacy- and security-stealing cross-site script attacks. According to the CERT, a federally-funded information security clearinghouse, many high-profile sites, including online financial institutions and stores, have failed to heed CERT's nearly 2-year-old advisory on preventing cross-site script (CSS) attacks on their visitors.

As a result, Internet users who repose trust in such sites may be susceptible to an array of attacks from malicious third parties, including theft of passwords, credit card numbers, browser cookies, and other private data.

"The real impact of this vulnerability is not on sites but on their visitors. The sites consider it a minor issue, but for visitors, it's a pretty big security and privacy matter. They could be giving away personal information without knowing it," said Jason Rafail, an Internet security analyst with CERT.

The link for this article located at ComputerUser is no longer available.