A vulnerability in the TRUSTe seal verification service was revealed last week by an anonymous researcher using the pseudonym "Antani Tapioco," according to Internet research firm Netcraft.

The seal validation page did not sufficiently verify input. In the demonstration, Tapioco injects an <img> tag with a bogus src= parameter, causing the onerror handler to be called, which popped up a message box that displayed "Verified by haxors, LOL". All of this comes in the context of the www.truste.org page.

Netcraft reported the problem to TRUSTe and it has been fixed.

To be fair, it"s not so much TRUSTe that"s the story here as security in general. When reporting the bug, Tapioco expressed anger at the ease with which the bugs were found and frustration that companies don"t get security audits. He has a point. Problems like this are probably very common.