At just 17 years old, Miguel Angel Jimeno has already managed to teach a thing or two to IT giants like Google, eBay or Tumblr. This young Spaniard from La Rioja has, for the last 18 months, been sniffing out security flaws in the websites and applications of these companies. And he’s not doing badly. His work has been praised by renowned IT security experts including Chema Alonso.
Miguel Angel took his first steps in the world of IT security through the page Underc[0]de, a forum for which he moderated the ‘Hacking Show Off’ section. By last January, he had opened his own blog, Researching for Fun. Through this blog Miguel Angel was able to reveal the XSS flaws he discovered in the websites of Internet giants.
“I detect all types of security holes, not just XSS,” he explains. So why does he only publish these? According to Miguel Angel, “XSS flaws are much more common and it’s not so ‘dangerous’ ‘for the company that they are made public”.
With respect to security holes that are dangerous, Miguel Angel has uncovered SQLi vulnerabilities that could allow content to be compromised and databases to be attacked. He has also discovered holes that allow code to be executed remotely (RCE attacks) on some of these Web servers. But what is so serious about detecting XSS vulnerabilities on eBay or Google? In fact, what on Earth are they?
XSS holes
XSS (‘cross-site scripting’) holes allow malicious code to be injected on Web pages, applications or browsers and then executed. It could be a simple link or something more complex embedded with HTML