On Wed, Dec 14, 2016 at 10:28:36PM +0100, Gianpaolo Pedrazza wrote:

https://www.facebook.com/502727856452797/videos/1312312478827660/

Not so difficult to figure out the vulnerable website this guy talks about...

Mmm.. the phishing/malware thing is well known by the IT (security) guys, but underestimated/unknown by the users/managers/non IT ppl. Some awareness is always welcome, but maybe one of two words on how to (try to) avoid them where useful..

About the vulnerabilities.. the screen seems the be the output of an automatic scanning tool, and the section displayed shows "DOM based XSS", which are oft (when found through these tools) wrongly reported ("false positives"; and i mean, with an error rate between 95 and 100%..).

A manual review is always needed and could be done without violating the law/trying to break into the "target" (it is all "client-side"), but if this was done, no proofs where given.

Btw, these attacks allows to "steal" the account/session of other users, not to gain access to the targets with elevated privileges (than the privileges of the victims).

After, he speaks about "other vulnerabilities" that could allow to break into these sites, but no details where given, which could mean "i hacked these sites, but of course i can't show any proof because (isn't legal|i have an NDA|whatever)" or maybe is just a speculation for having something spicy to say..

ciao, I.