A Cross Site Request Forgery (CSRF) vulnerability uncovered in McAfee's "secure" vulnerability scanning portal would have allowed attacker to take control of client accounts. The portal is designed to scan customer websites for security vulnerabilities and fulfil some PCI DSS compliance requirements.
To fall victim to the attack the target would have to be logged in to their McAfee account and browse to a malicious website that exploited the CSRF bug.
Commenting on his CSRF discovery, security researcher Mike Bailey didn't pull punches. "Until last week, McAfee Secure was vulnerable to critical CSRF holes," he wrote on his blog. "Not little ones, or ones that were difficult to exploit. [These are] basic, zero-knowledge, classic GET-based total-account-compromise holes."
McAfee did not comply with PCI requirements for Approved Scanning Vendors as defined by the PCI Security Standards Council, Bailey claims, and believes the company failed to use a secure software development lifecycle when building the application.
Furthermore, a penetration test should have caught the problem, he wrote, thus he concludes "no such audit has taken place".
Another, seemingly unrelated Cross Site Scripting (CSS) bug in a McAfee website allows miscreants to create pages that appear to be hosted on McAfee domains, when in fact the content is being served from elsewhere. Worse, no SSL errors would be generated in this attack, so even a vigilant user would be fooled.
SecureScience.net has demonstrated the attack by creating a "buy now" page for McAfee products, which, if a user clicked through to that page, would steal their credit card number and deliver a trojaned version of McAfee's product. (Click here for the dummied up CSS'd page. It won't bite.)
It's feared spammers could exploit the bug to offer seemingly legitimate "special deal offers" on McAfee products, using the CSS bug to create a genuine-looking purchase page with a valid SSL cert. McAfee, presumably, is scrambling to fix this second issue.
Ironically, marketing material for McAfee's secure scanning portal claims the service detects CSS vulnerabilities.
Sydney-based security consultant Chris Gatford, who works for Pure Hacking, believes the disclosures highlight an all too common hypocrisy among security providers. "It's a sad fact that many security service providers do not practice what they preach," he says.
Others thought the revelations were nothing short of hilarious. One local PCI Qualified Security Assessor (QSA), who did not want to be named, described the news as hysterical. "If there was a vote for lolz of the year I would be voting for McAfee Secure," he says. "That's just stunning."
McAfee isn't the only security vendor to wear egg on its face this year. The website of antivirus software maker Kaspersky was defaced in February. The website of BitDefender, another AV vendor, was also defaced.
Risky.biz sought comment from McAfee, but due to time-zone differences it was unable to offer any response in time for deadline.