The governor-general's website has been vulnerable to attack and defacement for at least the past 10 months, with two hackers leaving their calling cards on the site.
The two calling cards left by hackers, and the timestamps for both files.
(Screenshot by Michael Lee/ZDNet Australia)
Until recently, the site had been misconfigured to allow anyone to view the virtual directory listings on the governor-general's website. This enabled any member of the public to view what files had been uploaded to the web server, as well as certain details, including the date the file was last modified.
While most of the information on the server was public knowledge, it also revealed recent evidence that the web server had been compromised on 15 January, after a hacker uploaded an image to leave their calling card as a subtle way of proving that they had obtained access.
They weren't the first to break into the server, though. In a separate incident on 23 April last year, a different hacker uploaded a text file to the server to leave their calling card.
The ability to upload files to the web server would allow a scammer to build a phishing website, complete with the gg.gov.au domain name to add credibility to their scheme.
Government House said it is aware of the issues, but, at the time of writing, it has only removed one of the hackers' calling cards.
When asked whether it had stopped users from being able to arbitrarily upload files to its servers, it stated that it is not in a position to respond, on security grounds.
In addition, while the site's directory listings are no longer viewable directly, the information has been indexed and cached by Google. Documents publicly available to view include the personal information of highly commended Australians, such as Public Service Medal recipients and members of the Order of Australia. Although the details in the documents in some cases include full names, addresses and telephone numbers, Government House has stated that these were published with the consent of the recipients.
"The website does not conduct any private or secure business, nor contain any personal information that is not intended for publication," it said in a statement.
A quick Google search of the addresses indicated that many do not belong to businesses, but rather the personal residential addresses of members.
Chris Gatford, director at security-consulting and penetration-testing company Hacklabs, said that although website defacements are often trivial, they can have wider consequences.
"It's a pretty common misconfiguration — having virtual directory listings enabled — and something that sounds trivial; however, being able to browse all files in a folder can often lead to an attacker leveraging other misconfigurations and gaining complete access."
On a shared hosting service, Gatford said that this could result in other hosted websites being affected, or, in the case of an internally managed server, Government House's network could be compromised.
The Department of the Prime Minister and Cabinet, and the Office of the Official Secretary to the Governor-General are currently working on a secure-website project, according to Government House. This project will involve moving the existing site, which is hosted and developed by an outsourced third party, to reside within the Department of the Prime Minister and Cabinet.