Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

Websites of WHO and MI5 Hacked Using XSS Attacks

The official websites of the World Health Organization (WHO) and the UK's national security agency, Millitary Intelligence, Section 5 (the MI5), are found vulnerable to the cross-site scripting (XSS) attacks. This allows attackers to infuse fake IFrames, stimulate JavaScript alerts or redirect visitor traffic to various other potentially rogue webpages.

XSS is a type of flaw that allows the injection of malicious codes into legitimate webpages. A team of security experts and programmers known as 'Team Elite' detected the cross-scripting vulnerabilities in the aforementioned sites. It is noted that the hackers have posted several XSS attacks against these two websites.

The search form on the MI5 site is the location of the XSS vulnerability. The MI5 flaw can be potentially used for injecting rogue IFrame into the webpage that, in turn, can install more malicious code from some third-party domain through its src= feature.

The gang of hackers manipulated the site in an attempt to steal the identities of visitors and inject viruses on their systems.

In the meantime, conservative party Tory's MP Patrick Mercer stated that the matter of deep concern is that the hackers are able to assess the highly-classified data, reported Daily Express on July 30, 2009. He also noted that MI5 holds some of the extremely sensitive data including the identity of informers and agents in global terror outfits including Al Qaeda. The flaw in the MI5 website had been mended, revealed a source.

It is noteworthy that Team Elite would have also been able to detect the identity of any person using the website of UK's intelligence services and discover out every other site that they had visited in the previous years. The security lapse is being regarded as a big embarrassment for MI5 as it is the major security agency for monitoring threats in the country.

Furthermore, the WHO website had also been suffering from the similar problem and its search form is also found vulnerable to the cross-site scripting attacks.

In both the cases - MI5 and WHO - the XSS vulnerabilities detected are reportedly non-persistent and can be abused only on opening the malformed URLs. Although, it does not reduce the potential risk as non-persistent XSS flaws can be exploited to sharpen the phishing and malware attacks.

Related article: Websites – The Latest Weapon in The Hands of Phishers

» SPAMfighter News - 12-08-2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next