Hacker News new | ask | show | jobs
by Xk 5443 days ago
They have an XSS on https://secure.trust-guard.com/ (enter a username like <img src=g onerror=alert(1)> -- yes, it won't work with chrome's XSS filter)... somehow I'm inclined to believe they are not so great.

(An attacker could exploit that in a number of ways. Here's a simple one: create a site with a domain name that looks really similar. http://secure.trustt-guard.com or something, it doesn't matter. When a user visits, autosubmit a form to https://secure.trust-guard.com with the malicious payload; the first thing it does is hide the error message and incorrect username. The user then enters username/password and attacker reads the values and sends it back to his site.)

What's worse, I can't find any way to report this. Does anyone see a link?
2 comments
nbpoole 5443 days ago
https://secure.trust-guard.com/certificates/secure.trust-gua...

Apparently they don't run their security scanner against their own website ;-)

link
zwp 5443 days ago
> They have an XSS

Oh dear.

The (short) audio clips on their site are... interesting. Trust Guard's emphasis/value appears to be sales conversions, not security per se.

https://www.trust-guard.com/category-s/3.htm

First sentences from the two co-founders:

"We really really try to help our customers increase their conversion rate"

"People spend a lot of time and a lot of money getting people to their site then they don't do the things that increase conversion"

link
jerf 5443 days ago
"Trust Guard's emphasis/value appears to be sales conversions, not security per se."

The first startup I worked for was a PCI-compliance company. So I can tell you that the only way to sell "PCI-compliance" is that the credit card companies require it, and the only way to differentiate your service is by hyping the conversions it will help with. The reason is that these companies are fundamentally selling a check in the checklist that their customers otherwise do not care about. (Alas, even requiring people to care about security doesn't actually make them care about security.) For their front page, this isn't necessarily a surprise, it really doesn't tell you anything about the company either way.

Now, XSS on their front page... conclude away.

link
rbanffy 5443 days ago
> Trust Guard's emphasis/value appears to be sales conversions, not security per se.

If that's not Wall Street-level, I don't know what is.

link
tptacek 5443 days ago
Ruxum obviously took that message to heart.
link