U.K.: MI-5 Web Site Hacked

By Matthew Harwood

Britain's domestic intelligence agency has admitted that a vulnerability in its Web site's search engine could have allowed hackers to divert visitors to malicious pages, reports ZDNet UK.

The cross-site scripting and Iframe injection vulnerabilities was exposed by a hacker named [-TE-]-Neo, who posted on a popular hacking forum that MI-5's Web site could be hacked through its search engine.

According to ZDNet UK:

The MI5 site uses an embedded Google search engine, said a spokesperson for the agency, who also confirmed that the site had been vulnerable through the search tool. However, the website is hosted separately from MI5's back-end systems and is not connected to sensitive data, the spokesperson added.

Once MI5 was informed of the vulnerability, it took action to remedy the situation, said the spokesperson. The flaw was not maliciously exploited and had been limited to that search engine.

Last year, Eastern European hackers infected thousands of British Web sites, including local government and National Health Service Web sites, with a virus called Asprox. Its believed that some visitors to these sites had their identities stolen and found money taken from their bank accounts as well as other frauds, reports The Telegraph.

♦ Photo by Cyril Cavalié/Flickr



Most of the security vulnerabities occur due to code injections. Its where the backend takes the user parameter on web page and processes it as a command. So, an unsecure search tool might take a search term, parse it and run it on the system opening a loophole for a hacker.

P.S: I personally run a online dating site and hence know about website security.

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.