Big internet names are vulnerable to a hacker technique despite more than 18 months' worth of warnings, claims a security expert.

Security watcher Dave deVitry, of Infigon Technologies, released a shortlist of high-profile sites he claims are still vulnerable to Cross Site Scripting including Citibank, Google, CNet, Oracle, MSNBC and eBay, complete with samples. And yes, some of them do show signs of the vulnerability.

More than 18 months since the Computer Emergency Response Team (CERT) issued an alert on Cross Site Scripting, a user to run their own scripts on vulnerable sites, as well as steal cookies, perform actions on behalf of another user or modify content on a site.

"If the site operator receives specific information on security holes, they should act immediately to protect the problem area," said deVitry.

"Many crackers know this and will use these holes if they are not fixed. A few of these holes in Hotmail have been publicised, but other than that, many site's holes have gone unfixed."

CERT released an advisory detailing this vulnerability last February, available here. Recommendations include validation or filtering of all user input, including hidden form fields in web pages. End-users can also disable scripting in their browsers and are advised to log out of web servers that require log-ins.

"In the interest of safety we are starting a public list of active security holes on live sites. We suggest that you turn off JavaScript, and keep it off, if you don't want your data left open when you visit various websites," added deVitry.