White hat banned for revealing vulns in news sites used by London councillors
Vendor claims claims of vulns are tosh
Security consultant Andrew Tierney has claimed that web platform NeighbourNET contains nasty vulnerabilities that could compromise users.
The company's sites are used for local news services, often by councils and councillors to communicate with residents. London districts favoured with sites powered by the service include Shepherds Bush, Wimbledon, and Hammersmith.
Tierney says he disclosed the holes to NeighbourNet two months before publishing his findings overnight.
The consultant says the NeighbourNET platform is vulnerable to cross-site request forgery, username spoofing, and logins that require only an email to access forum accounts.
"It would be fair to say the visual presentation of the sites hints at there being security problems," Tierney says.
"A mess of security issues - considering that local councillors use these sites to communicate with the public, allowing impersonation is a serious issue.
"A user can visit another website, and that website can cause them to carry out actions on the site, such as posting messages."
It also allows untrusted third party content to be embedded into forum posts thanks to a lack of whitelisting.
NeighbourNET has written to The Register with correspondence it says was directed to Tierney.
That email says, in part, that NeighbourNet's development team "acknowledged that you have identified some potential security holes but they have existed for a long time without ever been exploited and there seems little incentive for anyone to try to do so."
"We have been for some time now working on completely overhauled site architecture and whilst this project has been ongoing for sometime we are now talking in terms of months rather than years before implementation. This would close these security holes and others," says the email to Tierney we've been provided.
NeighbourNET also told The Reg that the company's sites contain no "nasty vulnerabilities that could compromise users".
"Our sites have been operating for over a decade without an major issue with security. We note that Mr Tierney fails to give a single example of any actual occasion on which security is compromised," the company says. ®
Not an ideal response to reporting security issues… pic.twitter.com/8MhL0jmlho— Cybergibbons (@cybergibbons) July 10, 2016