The official website of the UK Parliament contained basic flaws that left it vulnerable to hacking, according to computer blogger Terence Eden.
Exploiting a well-known vulnerability – that has now been closed – allowed hackers to use the site’s search engine to manipulate the web page.
“Because the domain is parliament.uk it carries with it a significant level of trust. Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam,” said Eden.
Attackers could have even tricked MPs into revealing passwords by sending them a spoof email instructing them to carry out a password reset.
Read more about cross-site scripting
- How to defend against a DOM-based XSS attack
- XSS attacks remain top threat to web applications
- A new framework for preventing XSS attacks
- Stamp out XSS cross scripting vulnerabilities with proactive measures
- Using ESAPI to fix XSS in your Java code
- Adobe Flash patches zero-day XSS, 6 critical vulnerabilities
- XSS cheat sheet: How to prevent XSS attacks and detect exploits
According to Eden, the blog post is the first in a series called Unsecured State, looking at the security of the UK government's web infrastructure.
He said the XSS flaw was disclosed to the UK Parliament on 7 February 2014. On 11 February they confirmed a fix had been put in place.
There is no known exploit of the vulnerability before it was fixed, according to the Telegraph.