Websites of WHO and MI5 Hacked Using XSS Attacks
XSS is a type of flaw that allows the injection of malicious codes into legitimate webpages. A team of security experts and programmers known as 'Team Elite' detected the cross-scripting vulnerabilities in the aforementioned sites. It is noted that the hackers have posted several XSS attacks against these two websites.
The search form on the MI5 site is the location of the XSS vulnerability. The MI5 flaw can be potentially used for injecting rogue IFrame into the webpage that, in turn, can install more malicious code from some third-party domain through its src= feature.
The gang of hackers manipulated the site in an attempt to steal the identities of visitors and inject viruses on their systems.
In the meantime, conservative party Tory's MP Patrick Mercer stated that the matter of deep concern is that the hackers are able to assess the highly-classified data, reported Daily Express on July 30, 2009. He also noted that MI5 holds some of the extremely sensitive data including the identity of informers and agents in global terror outfits including Al Qaeda. The flaw in the MI5 website had been mended, revealed a source.
It is noteworthy that Team Elite would have also been able to detect the identity of any person using the website of UK's intelligence services and discover out every other site that they had visited in the previous years. The security lapse is being regarded as a big embarrassment for MI5 as it is the major security agency for monitoring threats in the country.
Furthermore, the WHO website had also been suffering from the similar problem and its search form is also found vulnerable to the cross-site scripting attacks.
In both the cases - MI5 and WHO - the XSS vulnerabilities detected are reportedly non-persistent and can be abused only on opening the malformed URLs. Although, it does not reduce the potential risk as non-persistent XSS flaws can be exploited to sharpen the phishing and malware attacks.
Related article: Websites – The Latest Weapon in The Hands of Phishers
» SPAMfighter News - 12-08-2009