News

Blogger finds basic security flaw in UK Parliament’s website

Warwick Ashford

The official website of the UK Parliament contained basic flaws that left it vulnerable to hacking, according to computer blogger Terence Eden.

Exploiting a well-known vulnerability – that has now been closed – allowed hackers to use the site’s search engine to manipulate the web page.

41629_Security-credit-Rex-.jpg

For example, the search function could be exploited using cross-site scripting (XSS) to add text, images and video to the page and even run JavaScript, Eden wrote in a blog post.

Even though the Chrome browser strips out any JavaScript, he noted that attackers could still run convincing adverts or direct people to install malware, or a whole host of “other nasty things”.

“Because the domain is parliament.uk it carries with it a significant level of trust. Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam,” said Eden.

Attackers could have even tricked MPs into revealing passwords by sending them a spoof email instructing them to carry out a password reset.

According to Eden, the blog post is the first in a series called Unsecured State, looking at the security of the UK government's web infrastructure.

He said the XSS flaw was disclosed to the UK Parliament on 7 February 2014. On 11 February they confirmed a fix had been put in place.

There is no known exploit of the vulnerability before it was fixed, according to the Telegraph.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy