McAfee plugs hole in its own security certification page
According to an old proverb 'The cobbler has the worst shoes'. It's now been reported that Secure, McAfee's security portal, has had poor shoes or rather poor security, because until recently it displayed a vulnerability to cross-site request forgery (CSRF).
McAfee Secure is a service that lets clients use the Hacker Safe tool to check their sites or online shops for security vulnerabilities and for compliance with the PCI Data Security Standard, which is important for credit-card transactions. If the check shows sites are OK, shop operators can include the McAfee Secure logo in their web site. This is supposed to reassure their customers that their data is well protected and there's no danger lurking in transactions, such as making payments.
The CSRF hole would have enabled attackers to access the accounts of victims (shop operators) at McAfee Secure. For an attack to succeed it would have been necessary for the victim to be simultaneously logged in with McAfee and surfing a crafted web site. McAfee has also closed other cross-site scripting holes and code-injection holes that let phishers display their own content in the browsers of people visiting the McAfee site.
The discoverer of the CSRF hole, security researcher Mike Bailey, warns in his blog that McAfee is infringing its own standards with these holes and, after being notified of the problems some five weeks ago, ought really to have removed the McAfee Secure logo from its own pages. He writes that McAfee moreover violated the PCI standard because they obviously did not use a secure software development life cycle (SDL) in building this application. He also suspects that McAfee had never subjected its own site to an intensive penetration test or to a scan with Hacker Safe. Nevertheless, the description McAfee gives of its service is still promising to find cross-site scripting and SQL-injection vulnerabilities. There were indications as far back as mid-2008 that McAfee's scanners were probably having problems sniffing out XSS holes. McAfee is now reported to have given its Secure site a more detailed check.
The usefulness, or lack of it, of certification, seals and badges can be disputed as they often give clients a false sense of security. For example, cross-site scripting holes were recently found in several sites carrying the official TÜV stamp. At the start of the year security vulnerabilities were also discovered in the web portals of McAfee's competitors. With Kaspersky, for example, SQL injection allowed access to client data, activation codes, security advisories, administrator names and shops.