Slashdot Mirror

← Back to Stories (view on slashdot.org)

MI5 Website Breached By Hacker

Posted by CmdrTaco on from the because-they-can dept.

Jack Spine writes "UK intelligence agency MI5 has admitted that its website security was breached by hacker group Team Elite. A member of the hacker forum posted details of the hack last week, which took advantage of a cross-site scripting vulnerability in the site's Google embedded search. MI5 admitted the breach on Wednesday, but said that the flaw had not been exploited maliciously."

12 of 71 comments (clear)

  1. meh by Anonymous Coward · · Score: 5, Informative

    It's a sort of script-injection vulnerability where you'd have to click on someone else's link to the MI5 site. I suppose it could steal cookies from someone stupid enough to click on a long link from an unknown person, but it's not like the site itself was hacked or anything, which is what "website breached by hacker" strongly implies.

    1. Re:meh by morgan_greywolf · · Score: 3, Informative

      The exploit is that people, especially in the U.K., will tend to trust results of a search that appear to be emanating from the MI5 website, and hence, with a well-formed set of "search results," a site could be setup that mimicks MI5's, thus tricking people into revealing passwords, credit card numbers, etc.

      Yeah, it's the work 4m4t3ure p0s3rz, but hey, what did you do last week?

      --
      My blog
    2. Re:meh by sys.stdout.write · · Score: 4, Funny

      Man.. James Bond villains are getting a lot nerdier.

  2. simple test by martin-boundary · · Score: 3, Funny

    MI5 admitted the breach on Wednesday, but said that the flaw had not been exploited maliciously.

    If a whole bunch of fake Iraq WMD reports start showing up on the net in the next few days, then we'll know if they were really exploited or not...

  3. Re:Better headline by magsol · · Score: 5, Funny

    />

    BOOM! Hit by CSS.

    --
    "I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
  4. A bit misleading ... by crowemojo · · Score: 5, Informative

    I see this and think the word "Hacked" gets thrown around a bit too easily. This is an example of non-persistent (also referred to as reflected) cross site scripting. This means that in order to take advantage of it, they have to convince a target to visit their specially crafted link. To me, "Hacked" sort of implies "They got in!" or "Data was breached!" or other such bad things and that simply isn't the case here.

    So what does this type of XSS do? Mostly embarass people because defacement examples are posted to "look what I can do" forums (which is basically what happened). Think about the attack vector here, they have to get a victim to visit their specific url that includes their attack. How is that done? Malicious email, posting the link to some website or forum and hoping they find it and visit, embedding the link in other sites that have been hacked or something like a banner ad, or whatever. All of these involve the target going out of their way to visit this maliciously crafted url. When you consider that they could still do all these things without XSS and simply host malicious code themselves, all this reflected XSS is doing is making it a bit harder for an end user to spot that this is something non-standard and dangerous.

    Think of it this way, "With reflected XSS, I can send them a link, and if they visit it, I can do bad things to their computer!" but then again, you can do that without XSS too, it just isn't quite as effective. How many users are taking the time to carefully look at a link before clicking on it, checking to make sure it contains the domain name they expect and not just an IP address, or a domain name that is similar, but not quite right, etc. A user who is doing this sort of thing will more likely fall victim to this XSS attack, but most users, who don't scrutinize things at that level, were just as susceptible to a classic phishing/malicious linking attack anyways.

    1. Re:A bit misleading ... by Anonymous Coward · · Score: 3, Insightful

      If you can inject javascript on a remote page like this, then you can steal their session data and login as them. That sounds pretty serious to me.

      more so when you consider the fact that there is no login form on their entire website. if these hackers can exploit something that doesn't exist, they're truly the cream of the crop. what's next? sql injection on static html?

  5. Re:Competence by Iyonesco · · Score: 3, Funny

    It's hardly surprising since the pay at MI5 is abysmal. I requested an information pack during my last year of university but lost interest when I found MI5 was about the worst paying graduate recruiter and especially bad for central London. Given the pay I would imagine that anyone with competence would take a job in the private sector leaving them to scrape up the dregs.

    Still, it was worth requesting the information pack for the entertainment alone because in every one of the pictures all the people were turned away from the camera. It looked thoroughly ridiculous and I couldn't help think that they would have been better not using pictures at all.

  6. Re:Shit it's Neo by Chrisq · · Score: 3, Informative

    How could they ever abuse this "hack" anyway? "Hey man check the MI5 website by following my link here, it's a really cool governmental agency really. Please click!"

    Hey, did you know that someone on the MI5 site with your name is listed as a terrorist. He lives in the (your city) region as well. I'd watch out if I were you, someone might get the wrong idea. Here's a link so you can check it out yourself.

  7. Re:Better headline by TaggartAleslayer · · Score: 4, Funny

    I like how you were modded interesting instead of Funny. Some poor bastard out there is now furiously trying to hack the pentagon with tips from Zen Garden.

  8. Re:Competence by Shakrai · · Score: 4, Informative

    It's hardly surprising since the pay at MI5 is abysmal. I requested an information pack during my last year of university but lost interest when I found MI5 was about the worst paying graduate recruiter and especially bad for central London

    That's not really that unusual for Governmental agencies. I would imagine that most people who go to work for MI5/CIA/Mossad/etc are not doing it for the money.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  9. Oblig. by svtdragon · · Score: 3, Funny

    Man.. James Bond villains are getting a lot nerdier.

    Somebody beat you to this conclusion.