Huawei E355 Wi-Fi Dongle Users Warned Of Major XSS Flaw

Owners of the Huawei E355 mobile Wi-Fi dongle are being warned of a cross-site scripting (XSS) vulnerability, described as “close to being as bad as can be”, that could allow a malicious attacker to steal sensitive information.

The US Computer Emergency Response Team (CERT) says the flaw exists in the web-based administration interface and allows users to receive SMS messages to be received through the connected cellular network.

“The vulnerability can be exploited if a victim views SMS messages that contain JavaScript using the web interface,” warns the CERT.

Huawei E355 XSS flaw

Toyin Adelakun, vice president at security firm Sestus, says hackers could exploit the vulnerability to gain access to a user’s browser and capture or delete personal information. He is convinced that some are already exploiting the weakness.

“It seems the vulnerability was reported to Huawei in April,” he says. “Publicising the vulnerability in late July might therefore seem a trifle generous in allowing the vendor time to fix the software. On the other hand, there is no telling when it was first discovered”

The CERT is advising users to disable scripting functionality on all computers and devices that connect to the dongle, but Adelakun warns this could also cause some web pages not to display properly. He says a more sensible approach could be to disable the functionality while connected to the mobile Wi-Fi device and enable it when connected to another network.

Last month, users of popular Twitter client TweetDeck were urged to shut the application down following the emergence of an XSS flaw that could have led to “mass account compromise.”

How well do you know network security? Try our quiz and find out!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

9 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

11 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

12 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

13 hours ago