Feeds

MI5 website vuln builds mountain out of molehill

Team Elite: Mission Implausible

Providing a secure and efficient Helpdesk

Hackers have uncovered information security shortcomings involving MI5's website, even though the problem is nowhere near as severe as one tabloid paper claims.

A breathless Daily Express "exclusive" on Thursday claimed the breach created a possible means for hackers to attack the computers of surfers visiting the security service's website and steal information. It's highly unlikely that confidential data held by the security service itself was exposed by the attack, even the Daily Express concedes.

In any case the flaw has now been resolved, so visitors are no longer at risk.

The Daily Express claims the MI5 attack was carried out by a hacking crew called "Team Elite", who are also reportedly responsible for attacks against the World Health Organisation’s website (as earlier reported by SoftPedia in greater depth here).

Team Elite, which notified MI5 about the problem, explains that MI5's search engine is vulnerable to XSS (cross-site scripting) and iFrame Injection attacks. Screenshots produced by the group suggest hackers could have used the now-patched flaw to present content under their control in frames that would appear (on cursory inspection, at least) to originate from MI5 itself.

The problem, such as it was, arose because the search form on MI5's website allowed code to pass as a search string, creating a code injection risk. XSSed, which maintains an archive of cross-site scripting bugs, reposts similar flaws also involved the search engine of the security service's website but dating from September 2007.

Team Elite published its advisory more than a week ago, on 21 July. Some of the more excitable coverage on Thursday sparked off but far from limited to the Daily Express, suggested the MI5's website was hacked into and that the nation's cybersecurity or perhaps even national security was imperiled as a result.

The truth is far more mundane.

Graham Cluley, senior technology consultant at Sophos, said it was "implausible" for MI5 to hold any sensitive data on systems connected to a public facing website, still less that confidential information would be unencrypted. Although the vulnerability on MI5's website is "highly unlikely to have compromised classified information", it still ought to serve as a wake-up call for sys admins - as Sophos notes, the majority of web-based malware attacks are these days launched from legitimate websites. ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.