Friday, November 10, 2006

HackerSafe makes not so good news, again

Update: Kelly Jackson Higgins posted a follow-up, Group Tags More 'Hacker Safe' Sites, which by my reading was basically Scan Alert claiming XSS was more of a web browser vulnerability, rather than in the web server/application.

And sites flagged as XSS-vulnerable don't lose their Hacker Safe seal, he says. "The Hacker Safe seal is certification on the server-side infrastructure," Pierini says. "There are no vulnerabilities if you place an order on that site, and no vulnerabilities where someone has access to data on that server. You can't access data on that server with XSS."

I'm not going to detail out all the flaws here, most people reading here are probably well familiar anyway. Lets move on.

'Hacker Safe:' Safe for Hacker. BRUTAL. It can't be happy place today at the Scan Alert camp. They are probably fielding a lot of angry customer calls who are asking why they ended up on the wall-of-shame on Then also perhaps a slew of calls from customers not on the list asking if Scan Alert is missing vulns in their websites. Then again, who knows, maybe the merchants won't even notice. Check out these quotes from the article:

"The hackers at are at it again, and this time they have found cross-site scripting (XSS) vulnerabilities on a dozen or so Websites emblazoned with ScanAlert's "Hacker Safe" seal."

If you recall Scan Alert, who offers the HackerSafe logo, also ran into some media trouble last month. Here comes the interesting part, Scan Alert customers are suprised...

Daniel Patterson, lead Webmaster for Shoppers Choice, says his company has since corrected the XSS vulnerability on its site and will be looking for other potential bugs. "It was surprising -- we thought we had fixed the problem a while back," Patterson says. "It is also surprising that Hacker Safe apparently had not notified us of a seemingly popular method for XSS."

That's really good Shoppers Choice was able to fix the issue based on the information obtained from How bout that! Score for full-disclosure and business responsiveness. The bug hunters chime in...

RSnake, founder of and, says his own research has uncovered some vulnerability issues that ScanAlert missed. "I don't think Hacker Safe sites are any safer than non-Hacker Safe sites, despite their claim," he says.

So what does this mean for the Hacker Safe seal? "It seems either the Hacker Safe scans are ineffective, or they don't see it as a threat," kyran says. "I expect that if I keep searching for those sites, I will find XSS in them."

I'd have to agree with both of these statements.


David Kierznowski said...

Fair comments, but would either of you feel completely sure that the web applications you have tested are totally free of XSS vulnerabilities?

Jeremiah Grossman said...

Hi David, personally I'm never sure a website is completely free of any vulnerability. All software has bugs, we accept that. But I think the point being made here is the difference between the perceived value some security vendors are claiming vs. what is actually being delivered. I measure vulnerability assessment solutions by how much more time it takes to find that one first serious issue an attacker might need. My take on Scan Alert is its only taking the guys a few minutes (if that) on each site they look at. Other vendors, including myself, might charge more, but you get what you pay for is the message thats coming across.

Anonymous said...

I blogged this eons ago (that's internet eons, which is like dog eons only faster) .
I didn't bother looking for XSS at the time, but I think the point was made.

- Me.
I'm not a hacker, I'm N074h4x0r.