A series of vulnerabilities have been reported in a couple of NeighbourNET-powered London websites used by London councilors to address local communities.
Ten London websites powered by NeighbourNET were found vulnerable to cross-site scripting, name spoofing and poor user authentication. Security consultant Andrew Tierne, who reported the vulnerabilities, said some of the issues could cause serious problems, allowing an attacker to compromise users and even impersonate their identities.
“It would be fair to say the visual presentation of the sites hints at there being security problems,” wrote Tierne. “A mess of security issues. Considering that local councillors use these sites to communicate with the public, allowing impersonation is a serious issue.”
Before posting his findings online, the security researcher notified the affected parties and allowed 60 days to pass. However, the only response he received was having his account suspended for “misuse of the site.”
Here’s the list of all the websites that were found vulnerable: