A cross-site scripting (xss) vulnerability may be exploited by hackers to bypass access controls going beyond the exceptions.
An Egyptian information security advisor Ebrahim Hegazy (Zigoo) has found an XSS vulnerability in the Avira license daemon. license.avira.com
But instead of exploiting it in a normal way "alert('MyName')" stuff and then reporting, He decided to demonstrate it to Avira security team in a different mode with the purposes to show how could an XSS vulnerability allows thehackers to steal user accounts with a clear text data!
To demonstrate this attack he has created 4 files:
- avira.html - the fake login page
- log.php - the logger which will log the credentials as clear text into txt file
- avira.txt - credentials will be found here
- done.html - will show a congratulation message to fool the users
In below video is the explanation of the attack methodology:
According to Ebrahim Hegazy, Avira team responded promptly and fixed the flaw in short time. For those who consider XSS vulnerability as low severity vulnerability, now you can change your opinion.