Feeds

MI5 website vuln builds mountain out of molehill

Team Elite: Mission Implausible

The Essential Guide to IT Transformation

Hackers have uncovered information security shortcomings involving MI5's website, even though the problem is nowhere near as severe as one tabloid paper claims.

A breathless Daily Express "exclusive" on Thursday claimed the breach created a possible means for hackers to attack the computers of surfers visiting the security service's website and steal information. It's highly unlikely that confidential data held by the security service itself was exposed by the attack, even the Daily Express concedes.

In any case the flaw has now been resolved, so visitors are no longer at risk.

The Daily Express claims the MI5 attack was carried out by a hacking crew called "Team Elite", who are also reportedly responsible for attacks against the World Health Organisation’s website (as earlier reported by SoftPedia in greater depth here).

Team Elite, which notified MI5 about the problem, explains that MI5's search engine is vulnerable to XSS (cross-site scripting) and iFrame Injection attacks. Screenshots produced by the group suggest hackers could have used the now-patched flaw to present content under their control in frames that would appear (on cursory inspection, at least) to originate from MI5 itself.

The problem, such as it was, arose because the search form on MI5's website allowed code to pass as a search string, creating a code injection risk. XSSed, which maintains an archive of cross-site scripting bugs, reposts similar flaws also involved the search engine of the security service's website but dating from September 2007.

Team Elite published its advisory more than a week ago, on 21 July. Some of the more excitable coverage on Thursday sparked off but far from limited to the Daily Express, suggested the MI5's website was hacked into and that the nation's cybersecurity or perhaps even national security was imperiled as a result.

The truth is far more mundane.

Graham Cluley, senior technology consultant at Sophos, said it was "implausible" for MI5 to hold any sensitive data on systems connected to a public facing website, still less that confidential information would be unencrypted. Although the vulnerability on MI5's website is "highly unlikely to have compromised classified information", it still ought to serve as a wake-up call for sys admins - as Sophos notes, the majority of web-based malware attacks are these days launched from legitimate websites. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Canada's boffins need A WHOLE YEAR to recover from China hack attack
'State-sponsored actor' breached National Research Council network
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.