Ethical hackers have discovered potentially serious vulnerabilities on the websites of the two principal candidates in today's London Mayoral election.

Both Boris Johnson’s and Ken Livingstone's campaign websites suffer from ‘cross-scripting’ (XSS) vulnerabilities that make it possible for hackers to redirect users to their opponents' websites, or any other site on the web, penetration testing firm SecureTest warns.

For example, it is simple to have a picture of Boris appear on Ken’s web site or vice versa, as can be seen by following from this Ken shot on Boris’s site link here (http://www.backboris.com/misc/register.php?msg=%3CIFRAME%20SRC=http://www.kenlivingstone.com/page/-/ken-and-bertrand-islington.jpg%3E%3C/IFRAME%3E). The cross-site scripting vulnerabilities on Boris and Ken’s sites are exploited using a simple redirect. In the case of Boris’s site, this is in the search function.

Ken Munro, managing director of SecureTest, explained that the picture prank does not involve hacking either site as such. "It just involves sending somebody a link that pulls content off a third-party site as if it came from the first site, which shouldn't be allowed to happen," he told El Reg.

SecureTest's team of ethical penetration testers found these weaknesses after reading reports (http://news.netcraft.com/archives/2008/04/24/clinton_and_obama_xss_battle_develops.html) of similar vulnerabilities on Hillary Clinton and Barrack Obama’s websites in the US.

Munro said: "This is a classic internet prank that could have very damaging consequences. It is entertaining to direct potential Ken voters to Boris’s website or vice versa. What would happen, however, if some prankster redirected traffic to a pornographic website, or one which downloaded damaging spyware onto a user's computer?

Depending on their nature, cross-site scripting vulnerabilities create a means for hackers to insert a script redirecting users to another website entirely, or an 'iframe' that forces the site to display the content of a third party site. Customers of an Italian online bank were recently attacked in a very similar manner - however, that attack redirected their usernames and passwords to a hacker. ®

Related stories

Scripting bugs blight security giants' websites (13 June 2008)
http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
What did happen to all those London mayoral votes? (7 May 2008)
http://www.theregister.co.uk/2008/05/07/london_mayoral_election_observation/
How scanners and PCs will choose London's mayor (30 April 2008)
http://www.theregister.co.uk/2008/04/30/london_mayoral_elections_vote_counting/
Harman hack horror has blog backing Boris (25 April 2008)
http://www.theregister.co.uk/2008/04/25/harriet_harman_website_hacked/
Lib Dem mayor candidate jumps aboard muni Wi-Fi failboat (24 April 2008)
http://www.theregister.co.uk/2008/04/24/paddick_wifi_pledge/
Lieberman's campaign to blame for website crash (10 April 2008)
http://www.theregister.co.uk/2008/04/10/lieberman_website_crash/
Get your German interior minister's fingerprint here (30 March 2008)
http://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated/
Red Green Ken v Porsche in battle of the polls (18 March 2008)
http://www.theregister.co.uk/2008/03/18/green_mayor_ken_livingstone_vs_porsche_pollsters_for_hire/
Congressional aide fired after trying to hire hackers (28 December 2006)
http://www.theregister.co.uk/2006/12/28/political_aide_hack_gaffe/
Hacker hijinks impinge on US mid-term elections (27 October 2006)
http://www.theregister.co.uk/2006/10/27/us_election_hack_attacks/
Hacking probe clouds Swedish election result (18 September 2006)
http://www.theregister.co.uk/2006/09/18/swedish_election_hacking_probe/
Political hacking scandal hits Hungary (20 February 2006)
http://www.theregister.co.uk/2006/02/20/hungary_hack/