TechTarget

Blogger finds basic security flaw in UK Parliament’s website

The UK Parliament's website contained basic flaws that left it vulnerable to hacking, a computer blogger has revealed

The official website of the UK Parliament contained basic flaws that left it vulnerable to hacking, according to...

computer blogger Terence Eden.

Exploiting a well-known vulnerability – that has now been closed – allowed hackers to use the site’s search engine to manipulate the web page.

For example, the search function could be exploited using cross-site scripting (XSS) to add text, images and video to the page and even run JavaScript, Eden wrote in a blog post.

Even though the Chrome browser strips out any JavaScript, he noted that attackers could still run convincing adverts or direct people to install malware, or a whole host of “other nasty things”.

“Because the domain is parliament.uk it carries with it a significant level of trust. Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam,” said Eden.

Attackers could have even tricked MPs into revealing passwords by sending them a spoof email instructing them to carry out a password reset.

According to Eden, the blog post is the first in a series called Unsecured State, looking at the security of the UK government's web infrastructure.

He said the XSS flaw was disclosed to the UK Parliament on 7 February 2014. On 11 February they confirmed a fix had been put in place.

There is no known exploit of the vulnerability before it was fixed, according to the Telegraph.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close