XSS flaw makes PM say: "I want to suck your blood"

XSS flaw makes PM say: "I want to suck your blood"

Summary: The Web sites of Australia's two major political parties contain cross-site scripting vulnerabilities, which could be exploited to fraudulently acquire political donations, say security experts.

SHARE:

The Web sites of Australia's two major political parties contain cross-site scripting (XSS) flaws, which could be exploited to fraudulently acquire political donations, say security experts.

A short line of script developed by a security enthusiast, Bsoric, causes the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"

Carl Jongsma, security expert at Sunnet Beskerming, said although the vulnerabilities on each party's Web sites have been exploited for comedic purposes, it would be possible to use the script to fraudulently target people for political donations.

"You would have the [Australian Federal Police] on to it pretty quick, but theoretically it's possible," Jongsma told ZDNet Australia.

People can expect to be approached by political parties for donations via e-mail since registered political parties are exempt from current anti-spam legislation.

The vulnerabilities were first published in August on popular security and hacking forum, Sla.ckers.org, however Sunnet Beskerming reported the vulnerabilities were still live earlier this week.

While the Liberal Party had fixed one vulnerability shortly after it was first discovered in August, the ALP's CIO, Dennis Perry, yesterday told ZDNet Australia that he was not aware of the problem. Today, the vulnerability was remedied.

Jongsma said the discovery of such cross-site scripting vulnerabilities generally indicate that more are likely exist on both parties' Web sites. He said security firms historically have reported these types of problems to Web site owners, however, today many have become reticent to due to the risk of being accused of creating the flaw themselves.

Cross-site scripting vulnerabilities are common to many Web sites, including government departments and large corporations, according to Chris Gatford from penetration testing firm Pure Hacking.

Gatford said he advises clients to use free vulnerability testing tools available through organisations such as OWASP.

Topics: Security, Government, Government AU, IT Employment

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion