The discovery of security issues in Java is something that Oracle deals with on a routine basis by way of regular security updates. Security issues with Java.com, however, is another issue.

Security researchers with the YGN Ethical Hacker Group publicly reported this week that Java.com was at risk from an arbitrary URL redirection vulnerability. YGN made the report on the public Full-Disclosure security mailing list.

The group also provided a link to a proof-of-concept demo to validate their claim.


According to YGN, it informed Oracle of the vulnerability on April 19th. On April 23rd, Oracle replied, "Thank you for bringing this issue to our attention. We appreciate your note and wanted to let you know that we have fixed it."

Oracle did not respond by press time to a request for comment from InternetNews.com on the YGN disclosure.

A URL redirection flaw is a serious issue that could have enabled an attacker to leverage Java.com for a phishing attack. Security tracking group Mitre has labeled URL Redirection as CWE-601 (Common Weakness Enumeration).

"An http parameter may contain a URL value and could cause the Web application to redirect the request to the specified URL," the CWE-601 definition states. "By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials."

The Java.com disclosure is not the first time that YGN has exposed security flaws in a major public facing website. At the end of March, YGN reported that McAfee.com was at risk from multiple security vulnerabilities.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.