Multiple Vulnerabilities in BitDefender website

Discussion in 'other security issues & news' started by DrBenGolfing, Jan 28, 2013.

Thread Status:
Not open for further replies.
  1. DrBenGolfing

    DrBenGolfing Registered Member

    Joined:
    Nov 29, 2012
    Posts:
    251
    Location:
    Hometown of Van Cliburn
    Multiple Vulnerabilities in BitDefender website
    A Security Researcher from crackhackforum.com, Rynaldo, has discovered multiple Vulnerabilities in one of the Biggest Antivirus company called "BitDefender".

    The researcher claimed that he sent several emails to BitDenfender's team, butthey haven't responded nor fixed the vulnerabilities neither.

    "The website is having several reflected XXS vulnerabilities and the CSRF
    vulnerability. Also I have found a way to cause DOS attack on the local
    server to take BitDefender temporarely down." Rynaldo said.

    CSRF attack : https://my.bitdefender.com/en_us/my/#page=account.index hacker is able to perform CSRF attack to change the details on the user's profile.CSRF tokens aren't implemented and password isn't required to change information on the profile.

    http://www.ehackingnews.com/2013/01/multiple-vulnerabilities-in-bitdefender.html
     
  2. jasonbourne

    jasonbourne Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    247
    Hmm..yesterday I was to resgister for an account in "MyBitDefender" and it could not push through. Then I wanted to register for the BitDefender forum but I could not also. It was a first attempt to try out BitDefender IS 2013 before taking the plunge. Even the update was taking too long for a 2mbps connection. I could not update to the 174mb first update. At around 10+mb it stops and then restarts. Restarted around 4x. After 6 hours, I gave up and reverted to a previous image with Avast IS. Definitely there's something going on there at the site.
     
  3. DrBenGolfing

    DrBenGolfing Registered Member

    Joined:
    Nov 29, 2012
    Posts:
    251
    Location:
    Hometown of Van Cliburn
    Wondering how Bitdefender can protect us consumers when they can't protect their own website? Really disappointing.:oops:
     
  4. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Chances are the ones behind the product development aren't the same ones behind website development...
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Chances are that the website development was done by an entirely different company.
     
  6. Iulika0069

    Iulika0069 AV Expert

    Joined:
    Mar 24, 2011
    Posts:
    181
    I'll just copy here what myBD engineers told me:

    "We released an update on Monday (4 Feb 2013) that fixes the XSS issues on the website. Without XSS it is not possible to conduct a CSRF attack on MyBitdefender as the attacker cannot get the authentication token and it is not read server side from the cookies.

    Thank you for the warning and we assure you that we are focused on the security of the MyBitdefender portal and our users' private data."
     
Loading...
Thread Status:
Not open for further replies.