McAfee website is full of security holes

Security vendor McAfee's website is full of security holes that could enable hackers to use cross-site scripting (XSS) and other attacks.

The vulnerabilities were posted on the Full Disclosure site by the YGN Ethical Hacker Group, after having been earlier reported to McAfee.

Security flaws include the site's vulnerability to cross-site scripting, as well as 18 instances of source code being disclosed, and one internal hostname being exposed.

Worryingly, the cross-site scripting vulnerability was found in the part of McAfee's site that hosted files for download.

No one from McAfee was available for comment but, in a statement, the company told Thinq_:

"McAfee is aware of these vulnerabilities and we are working to fix them. It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities.

Even so, the revelation will be uncomfortable news for chip giant Intel, which finalised its purchase of the insecurity outfit in February after announcing a $7.7 billion for the company in August 2010.

It's all the more embarrassing, given the fact that the company flogs a service called McAfee Secure to enterprise clients, certifying that their sites are free from just these kinds of vulnerability.

McAfee Secure scans web sites daily, and if a client's web site is certified as having a "high standard of security", users of McAfee's anti-virus and anti-malware products will see a 'McAfee Secure' badge appear in their browsers.

YGN says that it reported the vulnerabilities to McAfee on 10th February. Two days later the company responded, saying that it was "working to resolve the issue as quickly as possible". But after finding on 27th March that the security flaws had not been adequately patched, the group went public with the information.

This isn't the first time the security of McAfee.com has been found lacking. In April 2010, the site's forums were defaced using a XSS attack. Other XSS vulnerabilities were reported by security group XSSed as early as 2008.