Blogger finds basic security flaw in UK Parliament’s website

The UK Parliament's website contained basic flaws that left it vulnerable to hacking, a computer blogger has revealed

The official website of the UK Parliament contained basic flaws that left it vulnerable to hacking, according to computer blogger Terence Eden.

Exploiting a well-known vulnerability – that has now been closed – allowed hackers to use the site’s search engine to manipulate the web page.

For example, the search function could be exploited using cross-site scripting (XSS) to add text, images and video to the page and even run JavaScript, Eden wrote in a blog post.

Even though the Chrome browser strips out any JavaScript, he noted that attackers could still run convincing adverts or direct people to install malware, or a whole host of “other nasty things”.

“Because the domain is it carries with it a significant level of trust. Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam,” said Eden.

Attackers could have even tricked MPs into revealing passwords by sending them a spoof email instructing them to carry out a password reset.

According to Eden, the blog post is the first in a series called Unsecured State, looking at the security of the UK government's web infrastructure.

He said the XSS flaw was disclosed to the UK Parliament on 7 February 2014. On 11 February they confirmed a fix had been put in place.

There is no known exploit of the vulnerability before it was fixed, according to the Telegraph.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.