The well-known hacker group NullCrew has discovered a non-persistent Cross Site scripting(XSS) vulnerability in official website of MasterCard. The subdomain "Mobile Payments Readiness(mobilereadiness.mastercard.com) found to be vulnerable to XSS attack.
Usually , the Non-persistent or reflected XSS are considered as low risk. Even thought the risk level is estimated as low, the attackers can steal user accounts by social engineering attack.
For instance , A hacker can redirect victim to malicious or phishing sites by injecting redirection script in the url. I have tested the redirection script,Successfully it redirects me to another site.
The above script redirects to google. An attacker can send the crafted-link and lure users into believe they are visiting legitimate master card site. But, in fact, they are being redirected to malicious site.
NullCrew has also discovered XSS vulnerability on the Department of Homeland Security.
http://mobilereadiness.mastercard.com/country-comparisons/index.php?c1=sg"><script>alert("NullCrew")</script>
Usually , the Non-persistent or reflected XSS are considered as low risk. Even thought the risk level is estimated as low, the attackers can steal user accounts by social engineering attack.
For instance , A hacker can redirect victim to malicious or phishing sites by injecting redirection script in the url. I have tested the redirection script,Successfully it redirects me to another site.
The above script redirects to google. An attacker can send the crafted-link and lure users into believe they are visiting legitimate master card site. But, in fact, they are being redirected to malicious site.
NullCrew has also discovered XSS vulnerability on the Department of Homeland Security.