Blogger finds basic security flaw in UK Parliament’s website

The UK Parliament's website contained basic flaws that left it vulnerable to hacking, a computer blogger has revealed

The official website of the UK Parliament contained basic flaws that left it vulnerable to hacking, according to computer blogger Terence Eden.

Exploiting a well-known vulnerability – that has now been closed – allowed hackers to use the site’s search engine to manipulate the web page.

For example, the search function could be exploited using cross-site scripting (XSS) to add text, images and video to the page and even run JavaScript, Eden wrote in a blog post.

Even though the Chrome browser strips out any JavaScript, he noted that attackers could still run convincing adverts or direct people to install malware, or a whole host of “other nasty things”.

“Because the domain is it carries with it a significant level of trust. Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam,” said Eden.

Attackers could have even tricked MPs into revealing passwords by sending them a spoof email instructing them to carry out a password reset.

Read more about cross-site scripting

According to Eden, the blog post is the first in a series called Unsecured State, looking at the security of the UK government's web infrastructure.

He said the XSS flaw was disclosed to the UK Parliament on 7 February 2014. On 11 February they confirmed a fix had been put in place.

There is no known exploit of the vulnerability before it was fixed, according to the Telegraph.

Read more on Hackers and cybercrime prevention