XSS vulnerability found in MasterCard site by nullcrew

Visit the front pageVisit your profilePublish a blog post

The well-known hacker group NullCrew has discovered a non-persistent Cross Site scripting(XSS) vulnerability in official website of MasterCard. The subdomain "Mobile Payments Readiness(mobilereadiness.mastercard.com) found to be vulnerable to XSS attack.

http://mobilereadiness.mastercard.com/country-comparisons/index.php?c1=s...("NullCrew")</script>

Usually , the Non-persistent or reflected XSS are considered as low risk.  Even thought the risk level is estimated as low, the attackers can steal user accounts by social engineering attack.
  
For instance , A hacker can redirect victim to malicious or phishing sites by injecting redirection script in the url.  I have tested the redirection script,Successfully it redirects me to another site.

The above script redirects to google. An attacker can send the crafted-link and lure users into believe they are visiting legitimate master card site. But, in fact, they are being redirected to malicious site.  

NullCrew has also discovered XSS vulnerability on the Department of Homeland Security

 

 

Published by:

CWZ's picture

Name
Reza Rafati

Information
I am the founder of Cyberwarzone.com and I focus on sharing and collecting relevant cyberconflict news., The goal of Cyberwarzone is to provide the world a portal with global cyberwar information. The effort in getting this cyberwarfare information is hard. But as the internet is growing we need to get an global cyberwar & cybercrime monitoring system., By the people and for the people. We will be gathering information about Cybercrime, Cyberwarfare and hacking. LinkedIn: http://www.linkedin.com/pub/reza-rafati-%E2%99%82/1a/98b/197

Country
The Netherlands

My website
Cyberwarzone.com

Twitter:
http://twitter.com/#!/cyberwarzonecom