Huawei E355 Cross Side Scripting XSS flaw is described as “close to as being bad as can be” with users advised to switch off scripting functionality
Owners of the Huawei E355 mobile Wi-Fi dongle are being warned of a cross-site scripting (XSS) vulnerability, described as “close to being as bad as can be”, that could allow a malicious attacker to steal sensitive information.
How does Cross Side Scripting (XSS) works?
The US Computer Emergency Response Team (CERT) says the flaw exists in the web-based administration interface and allows users to receive SMS messages to be received through the connected cellular network.
Cross Side Scripting XSS Survey and Reports
Toyin Adelakun, vice president at security firm Sestus, says hackers could exploit the vulnerability to gain access to a user’s browser and capture or delete personal information. He is convinced that some are already exploiting the weakness.
“It seems the vulnerability was reported to Huawei in April,” he says. “Publicising the vulnerability in late July might therefore seem a trifle generous in allowing the vendor time to fix the software. On the other hand, there is no telling when it was first discovered”
The CERT is advising users to disable scripting functionality on all computers and devices that connect to the dongle, but Adelakun warns this could also cause some web pages not to display properly. He says a more sensible approach could be to disable the functionality while connected to the mobile Wi-Fi device and enable it when connected to another network.
Last month, users of popular Twitter client TweetDeck were urged to shut the application down following the emergence of an XSS flaw that could have led to “mass account compromise.”
We hope a release for update for the web application to overcome this flaw.