Ken and Boris mayoral websites leave visitors insecure


Ken and Boris mayoral websites leave visitors insecure

Antony Savvas

As voters go to the polls in the London mayor election, a team of ethical hackers at SecureTest have discovered potentially serious vulnerabilities in Boris Johnson's and Ken Livingstone's campaign websites.

Both sites suffer from cross-site scripting vulnerabilities that make it easy for hackers to redirect users to their opponents' websites - or to any other site on the web, said SecureTest.

SecureTest managing director, Ken Munro, said, "This is a classic internet prank that could have very damaging consequences. It is entertaining to direct potential Ken voters to Boris's website.

"But what would happen, however, if some prankster redirected traffic to a pornographic website, or one that downloaded damaging spyware onto a users' computer?"

SecureTest's team of ethical penetration testers found these weaknesses having been alerted to similar vulnerabilities on Hillary Clinton and Barrack Obama's websites in the US.

Depending on the nature of the vulnerability, they allow hackers to insert a script redirecting users to another website entirely, or an "iframe" that forces the site to display the contents of another.

Customers of an Italian online bank were recently attacked in a very similar manner. However this attack redirected their user names and passwords to a hacker.

The cross-site scripting vulnerabilities on the two mayoral candidates' sites are exploited using a simple redirect. In the case of the Johnson site, this is in the search function, said SecureTest.


COMMENTS powered by Disqus  //  Commenting policy