All news
Holes in Boris & Ken’s websites leave them open for ‘e-gaffes’
24 Apr 2008
As the battle for London mayor enters its final stages, a team of
ethical hackers at SecureTest has discovered potentially serious
vulnerabilities in both Boris Johnson’s and Ken Livingstone’s campaign
websites. Both suffer from ‘cross-scripting’ (XSS) vulnerabilities
that make it easy for hackers to redirect users to their opponents’
websites – or to any other site on the world wide web.
SecureTest
managing director, Ken Munro, commented: “This is a classic internet
prank that could have very damaging consequences. It seem be
entertaining to direct potential Ken voters to Boris’s website – after
all, going by their track record neither side is afraid of the odd
gaffe.
“What would happen, however, if some prankster redirected
traffic to a pornographic website, or one which downloaded damaging
spyware onto a users’ computer?”
SecureTest’s team of ethical
penetration testers found these weaknesses having been alerted to
similar vulnerabilities on Hillary Clinton and Barrack Obama’s websites
in the US. Depending on the nature of the vulnerability, they allow
hackers to insert a script redirecting users to another website
entirely, or an iframe that forces the site to display the contents of
another.
Since discovering these weaknesses, NCC Group has
alerted the webmasters of both websites, but has yet to receive
confirmation that the glitches have been fixed.
To see
cross-scripting vulnerabilities in action, cut and paste the following
link into your browser. What looks like a link to Ken Livingstone’s
website redirects you to Boris Johnston’s.
http://www.kenlivingstone.com/page/event/search_results?type=simple&orderby=<script></script><script>window.location="http://www.boris-johnson.com/"</script>&zip_radius[0]=SW1H+0HA&zip_radius[1]=100&radius_unit=kilom
eters&country=GB
Ken
concluded: “If politics is all about trust, then it is essential that
these websites which, one way or another, will be the mouthpiece of one
of the world’s most powerful mayors, can be relied upon to take care of
visitors. These vulnerabilities are not only bad practice, but they
also send out disquieting messages about the way politicians campaign
via the internet.”
Category: Latest News
