Huawei E355 Wi-Fi Dongle Users Warned Of Major XSS Flaw

Owners of the Huawei E355 mobile Wi-Fi dongle are being warned of a cross-site scripting (XSS) vulnerability, described as “close to being as bad as can be”, that could allow a malicious attacker to steal sensitive information.

The US Computer Emergency Response Team (CERT) says the flaw exists in the web-based administration interface and allows users to receive SMS messages to be received through the connected cellular network.

“The vulnerability can be exploited if a victim views SMS messages that contain JavaScript using the web interface,” warns the CERT.

Huawei E355 XSS flaw

Toyin Adelakun, vice president at security firm Sestus, says hackers could exploit the vulnerability to gain access to a user’s browser and capture or delete personal information. He is convinced that some are already exploiting the weakness.

“It seems the vulnerability was reported to Huawei in April,” he says. “Publicising the vulnerability in late July might therefore seem a trifle generous in allowing the vendor time to fix the software. On the other hand, there is no telling when it was first discovered”

The CERT is advising users to disable scripting functionality on all computers and devices that connect to the dongle, but Adelakun warns this could also cause some web pages not to display properly. He says a more sensible approach could be to disable the functionality while connected to the mobile Wi-Fi device and enable it when connected to another network.

Last month, users of popular Twitter client TweetDeck were urged to shut the application down following the emergence of an XSS flaw that could have led to “mass account compromise.”

How well do you know network security? Try our quiz and find out!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago