Cross-site scripting (XSS) flaws have been a thorn in the side of website developers - and users of the Internet - for some time.
As we have been reporting in our Finjan MCRC blog, XSS-flaws are a recurring problem. It is highly unlikely that they will go away in the near future.
In this light, it is therefore quite unsettling to hear that, apart from websites being vulnerable to XSS flaws, O2 is now facing an XSS-security problem with its Wireless Box III. O2, already well established in continental Europe, is now also gaining ground in the UK as an Internet service provider. The Wireless Box III - manufactured by O2's partner Thomson - is a generic broadband router, customized with O2's firmware.
O2 is unusual amongst UK ISPs in hard coding the ID and password for its broadband Internet service into the firmware of the router. This means that users can plug the modem into their phone lines and have it working within minutes. The good news for O2's Internet users is, that it minimizes the hassle for set-up. However, the bad news is that on the security front – once installed, most users will probably forget about it.
Paul Mutton, an IT security researcher and O2 customer, revealed that he found a vulnerability in the router which could potentially leave the unit wide open to XSS-forgery attacks. In his blog, he also suggested that hackers may be able to view and change settings on the customer's modem. They could even steal the router's wireless encryption key, also if the user enabled a WPA2 setting.
Needless to say, the problem could have serious repercussions, as several other UK ISPs also use Thomson wireless boxes.
As we stated before, it looks like XSS problems won't go away. We therefore recommend that users keep their IT security updated at all times.
If you are using Internet Explorer or Mozilla Firefox, you might consider installing Finjan's SecureBrowser add-on. It will warn you for websites that you might want to avoid.
Subscribe