Ken and Boris mayoral websites leave visitors insecure

News

Ken and Boris mayoral websites leave visitors insecure

Antony Savvas

As voters go to the polls in the London mayor election, a team of ethical hackers at SecureTest have discovered potentially serious vulnerabilities in Boris Johnson's and Ken Livingstone's campaign websites.

Both sites suffer from cross-site scripting vulnerabilities that make it easy for hackers to redirect users to their opponents' websites - or to any other site on the web, said SecureTest.

SecureTest managing director, Ken Munro, said, "This is a classic internet prank that could have very damaging consequences. It is entertaining to direct potential Ken voters to Boris's website.

"But what would happen, however, if some prankster redirected traffic to a pornographic website, or one that downloaded damaging spyware onto a users' computer?"

SecureTest's team of ethical penetration testers found these weaknesses having been alerted to similar vulnerabilities on Hillary Clinton and Barrack Obama's websites in the US.

Depending on the nature of the vulnerability, they allow hackers to insert a script redirecting users to another website entirely, or an "iframe" that forces the site to display the contents of another.

Customers of an Italian online bank were recently attacked in a very similar manner. However this attack redirected their user names and passwords to a hacker.

The cross-site scripting vulnerabilities on the two mayoral candidates' sites are exploited using a simple redirect. In the case of the Johnson site, this is in the search function, said SecureTest.





Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.
 

COMMENTS powered by Disqus  //  Commenting policy