Ever heard of Mydex? Here’s how they describe themselves:
Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data.
Not just secure, but hyper-secure! They’ve been signed up by the UK Government to provide Identity Assurance. Pretty impressive, eh?
Let’s ignore the fact that their website doesn’t use SSL and concentrate on the XSS flaw on the site.
Cross-Site-Scripting (XSS) is, in simple terms, a way to force a web page to run some malicious code against the wishes of its owner. Let’s take a look at a simple example:
By searching for
We can force the page to display in italics.
This is because the search box’s input isn’t sanitised. You can put whatever you want in there and the web page will display it. For example, if you paste in the HTML code to display a photo, then this happens:
To Mydex’s credit, a few minutes after reporting the flaw it was fixed.
There’s absolutely no suggestion that any user’s personal data was at risk here. I would consider it extremely unlikely that anything entered into that search field could have caused an SQL injection attack.
Mydex also operates a strict separation of their “publicity” site and their Personal Data Service – which really does seem very secure.
The Open Web Application Security Project list their top ten most critical web security risks facing organizations. XSS is number 3.
If you’re running a website – especially one which deals in security – please take the time to read over the list and understand how to protect your business and your users.
- January 23rd – Reported and fixed.
- February 5th – Publication agreed.