TRUSTe certified Electronic Art's customer support site vulnerable to XSS

Tuesday, 3 June 2008

Millions of EA gamers across the world are susceptible to security and privacy threats due to a critical XSS vulnerability.

It can be exploited by malicious people to steal your sensitive personal info (such us authentication credentials and credit card numbers) and to infect your PC with malware, spyware and adware.

Quoting from the EA Online Privacy Policy Page:
"EA and its subsidiary companies respect the privacy rights of our online visitors and recognize the importance of protecting the information collected about you."

They should really change it to something like this:
"EA and its subsidiary companies do not respect the privacy rights of our online visitors and do not recognize the importance of protecting the information collected about you by malicious people who exploit a cross-site scripting vulnerability on our website. Therefore, your privacy is not certified by TRUSTe. The TRUSTe seal is just a deception, but please do not ignore it, is there to build your trust and confidence when using EA websites."

XSS on EA's TRUSTe certified customer support login page:

http://customersupport.ea.com/loginapp/login.do?curl=
"><script>alert(/XSS/)</script>  

Mirror:
http://www.xssed.com/mirror/40862/

Many XSS vulns on *.ea.com are still active and mirrored for over a year...

By ignorance we mistake, and by mistake we learn.  Stop ignoring and underestimating such issues, and avoid mistakes in the future that will  negatively affect your image.

TRUSTe.org is also still vulnerable:

http://www.truste.org/cgi-htdig/htsearch?sort=%3Cbody%20onload=%22alert('XSS')%22

Mirror:
http://www.xssed.com/mirror/39271/

Credits for the discovery of these issues go to Shocker -at- ShockingSoft.com, C1c4Tr1Z, mox, koolkeith12345, The Milk Man, x2Fusion, Arham Muhammad and Harry Sintonen.