Hacker shows up Aussie education sites

Summary:Australian education websites are among those included on a list of sites vulnerable to cross-site scripting attacks.

Australian education websites are among those included on a list of sites vulnerable to cross-site scripting attacks.

The list of URLs, which first appeared on The Hacker News, shows 20 websites that fail to sanitise search terms entered into the search bar. This sanitisation stops hackers entering code that forces a site's server to return content from outside the site. The hacker responsible for the list, who goes by the alias "InvectuS", demonstrates the flaw on each of the sites by providing a link on his post to the sites' search page displaying a third-party hosted image that contains the Pakistan flag and a warning to learn security or "die trying".

(Screenshots by Michael Lee/ZDNet Australia)

The list includes several US universities and government agencies, and even the US McDonald's site, but also contains the TAFE NSW and NSW Public Schools websites. At the time of writing, several sites had fixed the issue, but the Australian sites still remained vulnerable.

While the cross-site scripting vulnerability doesn't result in the sites remaining defaced, it could be used as a stepping stone to exploiting other security flaws that may exist on the site, or to conduct phishing attacks against other users that expect to trust content on the site.

In July, similar cross-site scripting flaws in Skype meant that users could be directed to any website from within the Skype client, and in April last year, flaws in Atlassian's software resulted in Apache Software Foundation's developers losing their passwords.

Topics: Security


A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.