XSS Vulnerability Discovered in UK’s Ministry of Defense Website

The UK Ministry of Defence (MoD) has acknowledged that vulnerability lies in its website which is capable of exposing visitors to malicious attacks. Surprisingly, a hacker gang named 'Team Elite' drew the Ministry's attention to this security flaw.

Team Elite said - with the cross-site scripting (XSS) vulnerability, it was possible to inject malicious code into the website that could divert visitors to a different or malevolent site.

According to security specialists, the website's security loophole could help pranksters or miscreants to display content from a website that they might be controlling in a pop-up box. This pop-up may appear to have come from the MoD.

Additionally, the XSS type vulnerability is extremely damaging if it were found on e-commerce or banking websites because it helps to launch more probable phishing assaults. Therefore, in the MoD's case, it is a very embarrassing situation. Meanwhile, the portions that are affected on the site are reportedly the MoD contracts sub-domain's search engine and Sandhurst sub-domain's search page. Sandhurst is the reputed training college for Army officers.

But the spokesperson of the Ministry contradicted, saying that the flaw merely affected a minor portion of the website (the A-Z index), as reported by ZDNet on August 11, 2009. The spokesperson said that the MoD quickly deactivated the affected portion so that the flaw could not be exploited and its effect falling on other websites could be reduced. The Ministry further added that there was no evidence of the vulnerability being exploited while work was on to ensure that the abuse did not occur.

Maciej Bukowski, a member of Team Elite, posted facts about the MoD XSS vulnerability on August 10, 2009 following the warning to MoD, as reported by ZDNet. Bukowski posted the bug's proof-of-concept (POC) along with the MoD site's screenshot after the insertion of POC that showed a label on the site as 'XSS by Team Elite' as well as a message from the administrator to Bukowski stating that the he would get a response from the department in 15 days.

In July 2009, Team Elite alerted of XSS vulnerability in the M15 website as well that allowed the site to be hacked using its search program.

Related article: XSS Bug Remains the Worst Infection for Sites

» SPAMfighter News - 8/27/2009