Microsoft LIVE vulnerable to XSS Meta Manipulation Attack
The search.live.com search engine index appears to be vulnerable to a form of XSS Meta Manipulation and fraudulent content cross-domain injection attacks.
Links to XSS injected domains are being indexed and followed by the Live spiders, as can be seen in the following example when searching for “XSS Hacking” information:
http://search.live.com/results.aspx?q=hacking+xss&go=Search
Any user following the link from live.com to the Ethical Hacking expert knowledge site ethicalhacker.net will currently see this output:
It is unknown at this time if dynamic search engine rankings or other abstract Web 2.0 technologies that rely on indexed search engine results are affected by this vulnerability. It is very possible that the search.live.com spider could be tricked into following and indexing vulnerabilities far more serious than common cross-site javascript alert() injections, but XSSWorm has not yet tested this exploit vector on Live.
Thanks to XSSWorm readers, Ethicalhacker.net has now been informed of the serious XSS injection bug in their installation of Wordpress. It is obvious from the image above that the vulnerability is being exploited in the wild by Blackhat SEO optimizers, malicious crackers and possibly for cross-net spear pharming and targeted phly-phishing attacks. Microsoft has not yet responded to this bug advisory as the vulnerability still appears to be exploitable at time of writing. We will post updates here at xssworm.com as new spider injection holes are discovered.
