MoD site Hacked.

Discussion in 'The Internet - Best and Worst' started by NotmeChief, Aug 11, 2009.

Welcome to the Navy Net aka Rum Ration

The UK's largest and busiest UNofficial RN website.

The heart of the site is the forum area, including:

  1. Hackers have discovered cross-site scripting (XSS) vulnerabilities on the UK's Ministry of Defence website.

    The security shortcomings create a means for miscreants or pranksters to present content from a website under their control in a pop-up window that appears to come from the MoD. This class of flaw is very serious on banking or ecommerce websites, because it enables the creation of more plausible phishing attacks, and is best described as embarrassing in the case of the MoD. Affected portions of the MoD's website include the search engine of the MoD contracts sub-domain and the search page for the sub-domain of Sandhurst, the prestigious Army officer training college.

    The shortcomings of the MoD's website was demonstrated by a hacking crew called "Team Elite", which has also claimed responsibility for discovering similar XSS flaws on the websites of the World Health Organisation and MI5. Team Elite has notified the MoD about the vulnerabilities on its site and published its findings. Its advisory on the flaws - containing screen shots - can be found here.

    Courtesy of The Register
     
  2. Where?
     
  3. Here
     
  4. Let’s hope it’s some septic so that we can extradite them. Ah, wait a minute; can we?
     
  5. Cheers :)
     
  6. It'd be interesting to have a benchmark case to actually see if XSS is illegal (anyone know of one?). Since the script that is used is run using the programmed rules of the website and only that functionality I can't really see how it could be considered a crime. I suppose the act of social engineering in non-persistent XSS might be considered fraud or similar, but I think the buck should really stop with the content managers or owners who shouldn't be so lazy in the persistent case.
     
  7. If you can prove malicious intent then you would have a much more straight-forward case. It is very easy to merely claim you were harmlessly attempting to run a new bit of code you'd just developed which 'somehow' resulted in negative effects for a site/user.
     

Share This Page