http://i1-news.softpedia-static.com/images/fitted/340x180/buggy-analytics-code-exposes-nbc-nfl-sites-to-xss.jpg
ECMAScript 6 exposes sites to new XSS attack vectors
The EZDATA analytics service used by some major sites is putting users at risk of reflected cross-site scripting (XSS) attacks, according to recent findings by security researcher Ashar Javed.
We're well-aware of Mr. Javed's work in the field of online security, having previously covered the discovery of an XSS bug in YouTube Gaming. His work doesn't stop there, though, Mr. Javed contributing with numerous security disclosures to services like Adobe, Facebook, Microsoft, Google, Yahoo, Twitter, eBay, Etsy, and AT&T.
In his most recent discovery, Mr. Javed came across a common piece of analytics code that various sites from the Alexa 1000 were deploying in their code.
The particular snippet belonged to EZDATA, an analytics service that Mr. Javed, despite numerous efforts, could not get in touch with.
Full Article