A Hacker with a handle "human mind cracker" has discovered Cross site scripting vulnerability in high profile websites including government,bank , airline websites.
The list of affected sites includes isreal airline(israirairlines.com), Myspace, MTV, Sweden government(government.se), Bangladesh bank (islamibankbd.com), Nasa(spaceflight.nasa.gov).
Other affected sites are Brown Universty(library.brown.edu), afghanistan government(president.gov.af), Rome government(www.vroma.org)
All of them are reflected XSS Vulnerability. Cyber criminals can exploit these vulnerability for their malicious purpose. They can lure victims into clicking the crafted url that can redirect user to phishing or malware sites.
For example , injecting the following code will redirect user to Google from the vulnerable site:
<script>document.location="http://www.google.com"</script>Hackers can replace the google.com with malicious url and redirect user to malware page.
He has posted the poc in the pastebin:
Besides the XSS vulnerability, he also discovered Cross site Request Forgery(CSRF) security flaw in the MTV and Sweden governement site, SQL Injection vulnerability in islamibankbd.com.