Ever wanted to know what somebody is hiding in their Rackspace cloud files account? The vulnerability that is demonstrated here is cross-site scripting (xss) due to unsanitized user input being sent back to the victims browser simply from clicking on a link. This type of vulnerability is unfortunately very common in web applications, both home grown and commercial. Watch as a single click of a url leads to the theft of the cloud files api key and full access to add, delete, modify all the files the victim had stored there.
This vulnerability was discovered while doing a product assessment for a small business of ours. Businesses need to realize that even if they are not developing in-house software they should get the products they used assessed. Your business has the right to know, and companies like Rackspace should be doing assessments and publishing the results whatever the findings. Security is less about having zero vulnerabilities (highly unobtainable) and more about managing risk and generally improving the organization over time.
Web applications are never 100% secure. Also the amount of vulnerabilities previously found in a product does not directly relate to the current state of security in a product or service. A better measure of this is how quickly the company responds and how they care about security related issues. Rackspace has done an excellent job responding to and addressing the Cross-Site Scripting vulnerabilities that have been brought to their attention. Their customers should be proud to have a company behind them that takes security seriously.
Site by &yet Web Design