Cross-site scripting (XSS) attacks have hit the Ministry of Defence.
Richard Kirk, European director at Fortify Software, claimed that the MoD admitted to the flaw on Tuesday, after it was alerted to the XSS problem by a journalist who had been tipped off by the hacker group, Team Elite.
He claimed that in many cases of a XSS-driven infection, the infected user is usually unaware his/her computer has been compromised, and is leaking information. This is what makes XSS flaws so insidious, as - in common with other similar security problems - the flaw on the MoD website could have re-routed users to a second, infected portal.
Kirk said: “XSS vulnerabilities are often found in web applications which allow code injection by malicious internet users into the pages viewed by other users. Examples of these flaws include client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.”
He further claimed that the XSS flaw only appears to have affected the MoD's A to Z index, but the good news is that the MoD webmaster appears to have responded almost immediately to the Team Elite warning.
"Since (Team Elite's Maciej) Bukowski was responsible for revealing a similar flaw on the MI5 web portal last month, it looks like the message has got through and the MoD reacted swiftly to the Team Elite posting, as soon as ZDNet alerted them to the problem," said Kirk.