skip to Main Content

Cross-Site Scripting (XSS) Attacks: What Investors Need to Know

Cross Site Scripting

Cybersecurity should be at the forefront of any Tech DD. One of the most common threats found during our outside-in cyber assessments is the Cross-Site Scripting, or XSS, attack.

If you’re reading this, it’s likely to be connected to one of our reports. Please let us know if you want to discuss your specific project.

Understanding the Threat

At its core, XSS allows attackers to inject malicious scripts into web pages viewed by other users. Simplified, it’s like someone tampering with a public billboard to spread their message. 

We see this issue during Tech Due Diligence across industries, regardless of whether the firm is a startup or a mature company.

What’s The Real-World Impact?

An attacker exploiting an XSS vulnerability can steal users’ data, including sensitive information like passwords and credit card details. 

For a user, this might mean unauthorized purchases or identity theft. For a portfolio company, it could lead to significant financial losses, loss of trust, and potentially, legal consequences.

Example Cross-Site Scripting Cases

  1. MySpace (2005): A 19-year-old spread a worm through MySpace, automatically making users friends with him when they visited a compromised profile. This led to over a million friend requests. Whilst not a malicious attack per se, it highlighted the potential dangers of XSS vulnerabilities.
  2. TweetDeck (2014): A teenager discovered an XSS vulnerability in TweetDeck, a popular Twitter application. If viewed, a tweet containing a script was automatically retweeted, leading to many retweets and a temporary app shutdown.
  3. British Airways (2018): BA experienced a data breach that affected 380,000 booking transactions over two months. Users were redirected to the hacker’s server and managed to make it look legit.

Cross-Site ScriptingRemediation

Fixing XSS vulnerabilities is crucial – from an investor’s perspective, it means spending time and resources to fix the software.

But in occasional cases, the portfolio firm has left the software in its current state intentionally, as fixing the surface-level issue has repercussions, which means updating the entire tech stack.  

In the worst cases, we have seen that starting from scratch is easier than trying to rectify what’s in situ. That worst-case scenario is a significant red flag and has stopped deals in the past.

Cost to Address Cross-Site Scripting

The time and costs involved in fixing XSS vulnerabilities can vary. 

The remediation can be swift for a company with a robust development team and well-documented code. 

However, for others, it might take weeks to months, especially if the vulnerabilities are deeply embedded.

On the financial side, while the direct costs of fixing the vulnerabilities might not be exorbitant, the indirect costs—like damage to reputation, potential fines, or lost business—can be substantial.


Cross-site scripting vulnerabilities are more common in privately owned firms than one might assume. 

While it might be tempting for investors to overlook such ‘tech-centric’ concerns, the risks associated with them are very real. 

In an era where data is gold, no investor should be willing to gamble on a company that isn’t prioritizing its cybersecurity.

Hutton Henry
Hutton Henry
Hutton has worked with Private Equity Portfolio firms and Private Equity funds since 2015. Having previously worked in post-merger integration for large firms such as Ford and HP, Hutton understands the value of finding issues prior to M&A deals. He is currently the founder of Beyond M&A and provides technology due diligence for VC, PE and corporate investors, so they understand their technology risks before entering into a deal.

Take our FREE Scorecard to find out if your investment is at risk.

Discover the value of technology in your portfolio and target investments to gain more confidence and uncover potentially significant risks that could affect the value of a sale or an acquisition.

More Stories

Back To Top