Industry News

Vulnerabilities in London News Websites get White Hat Banned

A series of vulnerabilities have been reported in a couple of NeighbourNET-powered London websites used by London councilors to address local communities.

Ten London websites powered by NeighbourNET were found vulnerable to cross-site scripting, name spoofing and poor user authentication. Security consultant Andrew Tierne, who reported the vulnerabilities, said some of the issues could cause serious problems, allowing an attacker to compromise users and even impersonate their identities.

“It would be fair to say the visual presentation of the sites hints at there being security problems,” wrote Tierne. “A mess of security issues. Considering that local councillors use these sites to communicate with the public, allowing impersonation is a serious issue.”

Emphasizing that an attacker could even embed untrusted code into these websites, the researcher said he believes users could even be exposed to malware. While his testing involved only the embedding of HTML code, JavaScript or Flash content could also be used.

“The site embeds its own content using an URL passed as a GET parameter,” wrote the researcher. “The source of this content is not whitelisted or validated, so you can just embed your own content. This has only been tested with plain HTML, but if JavaScript, Flash or other content could be embedded, this would lead to cross-site scripting or malware delivery to users.”

Before posting his findings online, the security researcher notified the affected parties and allowed 60 days to pass. However, the only response he received was having his account suspended for “misuse of the site.”

Here’s the list of all the websites that were found vulnerable:

  • www.ActonW3.com
  • www.BrentfordTW8.com
  • www.ChiswickW4.com
  • www.EalingToday.co.uk
  • www.FulhamSW6.com
  • www.HammersmithToday.co.uk
  • www.PutneySW15.com
  • www.ShepherdsbushW12.com
  • www.WandsworthSW18.com
  • www.WimbledonSW19.com

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *