Slashdot Mirror

← Back to Stories (view on slashdot.org)

MI5 Website Breached By Hacker

Posted by CmdrTaco on from the because-they-can dept.

Jack Spine writes "UK intelligence agency MI5 has admitted that its website security was breached by hacker group Team Elite. A member of the hacker forum posted details of the hack last week, which took advantage of a cross-site scripting vulnerability in the site's Google embedded search. MI5 admitted the breach on Wednesday, but said that the flaw had not been exploited maliciously."

3 of 71 comments (clear)

  1. this XSS is overrated by Anonymous Coward · · Score: 1, Insightful

    I'm not sure I'd call exploiting an XSS vulnerability penetrating. Sure, it can be used with a hybridized CSRF attack to penetrate into otherwise restricted areas of a website (although I don't know of such areas on MI5's website), but XSS, in and of itself, is more akin to graffiti than anything else.

    And, btw, I don't consider the social engineering element of XSS to be a particularly bonafide threat. If someone's going to provide all their personal info because the MI5 website, through XSS, asked for it, what's to stop them from doing it for some MI5 look-alike domain? <sarcasm>mi5verify.co.uk is asking for my info? Only MI5 could have MI5 in their domain!!!

  2. Re:A bit misleading ... by Anonymous Coward · · Score: 3, Insightful

    If you can inject javascript on a remote page like this, then you can steal their session data and login as them. That sounds pretty serious to me.

    more so when you consider the fact that there is no login form on their entire website. if these hackers can exploit something that doesn't exist, they're truly the cream of the crop. what's next? sql injection on static html?

  3. Someone is missing the point by meist3r · · Score: 2, Insightful

    Fort Knox announced today that someone broke in and took a dump on the Gold ... nothing was stolen though.