According to XSSed, HSBC is open to XSS attacks:
Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. XSS must be considered as the phishers' future weapon by all people working in the security industry.
Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users.
If they want to own HSBC's e-banking customers, all they have to do is to register a "suspicious" looking domain like hscsbc.com which is currently available and then serve a phishing page.
Even better, they can exploit a cross-site scripting vuln on hsbc.com, obfuscate the attack vector and significantly increase their phishing success rate! [From HSBC web sites are open to critical XSS attacks. Warning to customers! | News | XSSed.com]
According to WhiteHat Security, patching an XSS vulnerability takes, on average, almost three on months. That's a long window of vulnerability.
Leave a comment