After an ethical hacking group exposed a security flaw in Java.com, Oracle quickly patched it. This is the third Website belonging to Oracle with a major Web application vulnerability publicized in the past month.
YGN Ethical Hacker Group found an “arbitrary URL redirect vulnerability” in www.java.com, the group said in a post on the SecLists mailing list and on its Website on April 24. The flaw was reported to Oracle on April 19, and Oracle patched it immediately, YGN said.
“Thank you for bringing this issue to our attention. We appreciate your note and wanted to let you know that we have fixed it. Our Global Information Security group may also send you a note on your report,” Oracle told YGN on April 23, according to the post.
The group also posted a sample exploit that would have worked, had Oracle not fixed the issue.
A URL redirection flaw (CWE-601) allows remote attackers to use Java.com as part of a phishing attack. An HTTP parameter containing a URL value could cause the Web application to redirect the user to a different site in this kind of an attack.
YGN found multiple security issues on McAfee.com in Feburary and notified McAfee about them. When the problems remained unfixed in late March, YGN publicized the issues in hopes of forcing McAfee to act.
While the ethics of scanning sites for vulnerabilities without the permission of the website owner can be debated, it probably violates United States law. However, if unauthorized scanning exposes existing flaws that companies don’t know about, it might result in a more secure Website for the public.
YGN describes itself as a group of young IT professionals based in Myanmar. The group tends to notify vendors and gives them time to address the issues before publicizing its findings. McAfee was unusual in that regard.
It’s unclear whether the issues have been fixed on McAfee.com. We are waiting for YGN to respond.