Hackers have posted XSS (cross-site scripting) flaws from a number of high-profile media sites on a public message board, along with proof-of-concept code demonstrating how to exploit the flaws.
The posts follow media coverage last week of the 'Sla.ckers' messageboard, where users – who include software researchers and developers – began publicly posting exploit code for XSS flaws they'd found in high-profile websites such as MySpace, Photobucket and Dell and HP's sites.
Following the publicity, list users began paying closer attention to media sites, and posted flaws for the websites of Dark Reading, Fox News, The Independent, SC Magazine, ZDNet UK and others.
Dark Reading senior editor Kelly Jackson Higgins said the site was fixed shortly after the problem was reported. "We got the message loud and clear: don't assume you're immune to XSS vulnerabilities. They're everywhere," she wrote on the site.
XSS bugs have now overtaken buffer overflows as the top attack vector, according to US government researchers. Other research has confirmed that the focus for both attackers and the more benign folk of the Sla.ckers list has moved to web-based applications and systems.
This is partly because the more traditional vectors have become more difficult to exploit, and partly because websites, services and applications are relatively unprotected. Security experts have noted that most web designers don't have much security training, and that web vulnerabilities are quite common.