Security researcher YoKo Kho was recently awarded $5,000 for discovering an XSS (cross site scripting) vulnerability within Avast Anti-Virus for Windows desktop devices. Normally this would not be an issue for desktop applications, but Avast appears to be rendering HTML in at least some portions of their product. Avast has a prompt for when a user connects to a new wireless network that will display the SSID (name) of that network. Without proper sanitization, it’s possible to set a network name to a short snippet of HTML that Avast will then try to display as part of its own application. This could give an attacker the ability to do things like showing a popup on the victim’s machine or displaying a login form on the network connection prompt from Avast.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.