UK intelligence site breached by hacker

MI5 has closed up a flaw on its Web site that could have opened up visitors to malicious attacks, the UK intelligence agency said.

The Web site suffered a cross-site scripting vulnerability that could have allowed hackers to inject code into the site and redirect users to malicious pages, MI5 admitted on Wednesday.

However, the government service insisted the Web site had been secured quickly, and that at no time had any intelligence operatives been exposed by the flaw.

"MI5 takes security very seriously," the intelligence agency told ZDNet UK. "The Web site is secure and hosted in a high-security environment."

Last week, a hacker with the handle '[-TE-]-Neo' wrote that the MI5 Web site was vulnerable to cross-site scripting and Iframe injection. The put the post on the Team Elite hacker forum last week, claiming the site was breachable through the search engine. Team Elite notified MI5's administrator of the flaw before posting proof-of-concept code.

The MI5 site uses an embedded Google search engine, said a spokesperson for the agency, who also confirmed that the site had been vulnerable through the search tool. However, the Web site is hosted separately from MI5's back-end systems and is not connected to sensitive data, the spokesperson added.

Once MI5 was informed of the vulnerability, it took action to remedy the situation, said the spokesperson. The flaw was not maliciously exploited and had been limited to that search engine.