Various merchant such as online shop, online service, etc many of them use Security Seals to improve visitors trust. For you who haven’t found out, Security Seals is a label which showed that certain site is verified/secure. If a site has Secure label, it’s surely safe to have transaction. Two huge companies who gave such service are McAfee Secure and Trust Guard. But do you know that it made the website vulnerable to be hacked?
It was found by Jay Hames and Shane MacDougall. They showed how hacker can find “insecure site” by using McAfee Secure.
Here is the logic:
When a merchant use McAfee Secure, the website will be scanned everyday by McAfee system. If the website is secure, there would be “Secure” image label displayed.
The problem is, when the website is detected as insecure, the secure label would be replaced by a GIF 1×1 pixel image. Where the image have certain URL path.
By using the image URL path, hacker would be able to find all insecure site via Google or Bing. Hundreds even thousands easy-targets would be captured by the hacker.
You can see Jay James and Shane MacDougall video presentation here:
It would be terrifying for merchant who use such kind of security seal service. One solution which probably can be done is, closing the website security crack as soon as McAfee and Trust Guard detected it.