Huawei E355 Wi-Fi Dongle Users Warned Of Major XSS Flaw

Owners of the Huawei E355 mobile Wi-Fi dongle are being warned of a cross-site scripting (XSS) vulnerability, described as “close to being as bad as can be”, that could allow a malicious attacker to steal sensitive information.

The US Computer Emergency Response Team (CERT) says the flaw exists in the web-based administration interface and allows users to receive SMS messages to be received through the connected cellular network.

“The vulnerability can be exploited if a victim views SMS messages that contain JavaScript using the web interface,” warns the CERT.

Huawei E355 XSS flaw

Toyin Adelakun, vice president at security firm Sestus, says hackers could exploit the vulnerability to gain access to a user’s browser and capture or delete personal information. He is convinced that some are already exploiting the weakness.

“It seems the vulnerability was reported to Huawei in April,” he says. “Publicising the vulnerability in late July might therefore seem a trifle generous in allowing the vendor time to fix the software. On the other hand, there is no telling when it was first discovered”

The CERT is advising users to disable scripting functionality on all computers and devices that connect to the dongle, but Adelakun warns this could also cause some web pages not to display properly. He says a more sensible approach could be to disable the functionality while connected to the mobile Wi-Fi device and enable it when connected to another network.

Last month, users of popular Twitter client TweetDeck were urged to shut the application down following the emergence of an XSS flaw that could have led to “mass account compromise.”

How well do you know network security? Try our quiz and find out!