He has now created a friendly XSS-worm which uses this vulnerabilities to patch your system. More instructions how to do this in his blog-post.
Now that the flaws are known to the public there are a big risk of XSS-attacks happening. So you now got two options, wait for the official Wordpress-fix, or apply beni's fix to have an immidiate protection.
If you apply the patch from this recommendation, I am not responsible for any side affects this might have. But I trust beni, so I think you can go on with the patching. Just make sure you do a proper backup before you start.
This year in February a XSS-problem on Googles login page was found by the security expert beNi. See a screendump of how this "secure" SSL-page could be corrupted, before the development team closed it down.
Google did respond to beNi and thanked him for the discovery, but he was a bit disappointed that they did not show more gratitude than what they did. I understand him. A company the size of Google should be able to show grater gratitude towards nice hackers that help them to protect their applications.
Since beNi wasn't so happy he's now saying that in the future he will not warn them before he reveals similar exploits.
So the other day he shows us proof of concept on how a criminal can get access to all contacts in Gmail and also the Google Authentication Token. These can be found on a page that generates a XML-documant. Really scary acctually. If you are online with your Gmail account you can see it for yourself by visiting the following address.
beNi continues to show how this infomation can be used in an attack. For this he needed a XSS-flaw on Google and he found one rather quickly. Read his blog-post for more information and images. I have also saved a screendump of the last step in the exploit which you can see above.
So from now on we know that Gmail-information isn't really safely kept. The only thing a criminal nedd is a XSS-flaw on Google and there seems to be quite a few. I recommend you to be careful when you see links going to Google and if you're a Gmail user. If there are any doubt on the source of the link your shouldn't click it.
Personally I don't use Gmail and only have one contact there. But the fact that the Google Authentication Token can be accessed so easily makes me really nervous. I don't want anybody to take over my Google-login and start playing around with my Adsense-accounts and the other services I use.
Also read hac.kers.org who makes a comment about the disclosure.
During our discussion I told him that it would be interesting to see how secure Swedish web sites are. The security expert who calles himself "beNi" asked my to make a list of some well known sites. I choosed some that were in my current memory and has been in focus lately.
I got reply from beNi and he tells me he has done some research. He only investigated DN, SvD and Twingly. The other three sites on the list loaded to slowly for him to works with (even though he has an 6MBit-connection).
He found a whole bunch of insecure pages within a few minutes. Both DN and SvD contains some holes as you can read on his blog. There are also five examples of urls showing how this issues can be abused.
Examples of XSS-vulnerabilities
This is the examples. I have also uploaded some screenshots of how the pages looks when you visit them at the moment. These links are not dangerous to visit. But if you see something similar anywhere else I would strongly suggest not to try them.
Twingly was safe from sequrity issues. The site uses ASP.NET which has a lot of build in protection. Microsoft has realised the importance of protecting against XSS and has also released special API's for protection. I will write about these at a later time.
DN that uses Java and SvD that are running on classic ASP was not so succesful in the test.
Developers must wake up
Is is quite embarrasing to see that news sites of this size doen't has complete control of their web app sequrity. Web masters must wake up and realise. You are not only risking the sequrity of your own sites. The main thing about cross-site-scripting is that it can be used to target other sites than the domain they are found on.
Update: There has been some responses to the Swedish version of this post where I have documented the developments more in depth. In short the following has happended.
Two of the links above were indexed by Twingly which is a ping service connected to the news sites. That meant that this post were linked to from both of the news sites in connection to some articles, and received quite a lot of visitors.
I would like to thank Martin working on Twingly for pointing out that the urls were normalized before they entered there system. If these links should have been indexed at all by the blog portal is still questionable.
I also temporarily removed the links since I felt a bit guilty of publishing them without giving the site owners a warning first. I did email both of the news sites rather quickly after I wrote the blog-post. SvD replied and thanked me for letting them know. They have now secured the issues and I congratulate them for their swift action.
The issues on DN.se still remains unfixed and I have not heard anything from them. I will give them some time to fix the problems before I publish the links on my site again.
I want to keep these XXS-links on my site as a reference to other developers. The might be useful for web masters to realise what kind of threat they are up against. The other reason I would like to keep the links on my site is because I would like to study how the search engines will respond to them. Will they for example be indexed by Google? Will they still work in the cached versions? It will be interesting to find out.
Update 2: We are happy to notice that DN also has fixed their security problems. Both sites managed to shut down their XSS-flaws in only 1-2 days which is really good.
As I understand it the list is quite useful for "black-hat"-optimizers which can use the vulnerabilities to inject their own code in the url:s, and in this way include their own portions of links and key words. To spam the SERPS in other words. Next to each site in the list there are PR-values so that they easily can choose which target might be rewarding.
The list is mostly featuring german adresses but there is also a danish web shop included. No Swedish adresses this far. That the well known sequrity company Verisign is on top of the list is rather alarming. The XSS-vector of this site I have not been able to try out since you have to contact the owners of the site for access.
But many of the security holes do work and the developers of the site provides examples with messages about their services they offer advice on how to solve the issues.
As long as the search engines continue to index these highjacked urls the problems will continue. There are not many site owners that are aware of these new type of attacks. The risk of being shut out of the search engines result is big if you got an vulnerability of this sort. A bad guy can start using them to distribute their own content that seems like it's coming from your domain.