The official website of the UK Parliament contained basic flaws that left it vulnerable to hacking, according to computer blogger Terence Eden.
Exploiting a well-known vulnerability – that has now been closed – allowed hackers to use the site’s search engine to manipulate the web page.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
“Because the domain is parliament.uk it carries with it a significant level of trust. Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam,” said Eden.
Attackers could have even tricked MPs into revealing passwords by sending them a spoof email instructing them to carry out a password reset.
Read more about cross-site scripting
- How to defend against a DOM-based XSS attack
- XSS attacks remain top threat to web applications
- A new framework for preventing XSS attacks
- Stamp out XSS cross scripting vulnerabilities with proactive measures
- Using ESAPI to fix XSS in your Java code
- Adobe Flash patches zero-day XSS, 6 critical vulnerabilities
- XSS cheat sheet: How to prevent XSS attacks and detect exploits
According to Eden, the blog post is the first in a series called Unsecured State, looking at the security of the UK government's web infrastructure.
He said the XSS flaw was disclosed to the UK Parliament on 7 February 2014. On 11 February they confirmed a fix had been put in place.
There is no known exploit of the vulnerability before it was fixed, according to the Telegraph.