Vulnerabilities in London News Websites get White Hat Banned

A series of vulnerabilities have been reported in a couple of NeighbourNET-powered London websites used by London councilors to address local communities.

Ten London websites powered by NeighbourNET were found vulnerable to cross-site scripting, name spoofing and poor user authentication. Security consultant Andrew Tierne, who reported the vulnerabilities, said some of the issues could cause serious problems, allowing an attacker to compromise users and even impersonate their identities.

“It would be fair to say the visual presentation of the sites hints at there being security problems,” wrote Tierne. “A mess of security issues. Considering that local councillors use these sites to communicate with the public, allowing impersonation is a serious issue.”

Emphasizing that an attacker could even embed untrusted code into these websites, the researcher said he believes users could even be exposed to malware. While his testing involved only the embedding of HTML code, JavaScript or Flash content could also be used.

“The site embeds its own content using an URL passed as a GET parameter,” wrote the researcher. “The source of this content is not whitelisted or validated, so you can just embed your own content. This has only been tested with plain HTML, but if JavaScript, Flash or other content could be embedded, this would lead to cross-site scripting or malware delivery to users.”

Before posting his findings online, the security researcher notified the affected parties and allowed 60 days to pass. However, the only response he received was having his account suspended for “misuse of the site.”

Here’s the list of all the websites that were found vulnerable:

• www.ActonW3.com
• www.BrentfordTW8.com
• www.ChiswickW4.com
• www.EalingToday.co.uk
• www.FulhamSW6.com
• www.HammersmithToday.co.uk
• www.PutneySW15.com
• www.ShepherdsbushW12.com
• www.WandsworthSW18.com
• www.WimbledonSW19.com