I think it is about a year now since I found the first hole in the £2.8 MIllion Birmingham Council site. It was found, and reported on launch day. But yet nothing has been done, the same hole is still there ready to be exploited.
XSS is a big deal, it lets an attacker inject their own scripts into the site, running with whatever privileges the user has on that site. Able to capture any information they enter.
After the recent figures where published about how much the UK government was spending on websites my little hole came up again on Twitter so I did a little poking around. It didn’t take long to find another hole. Now this one is a little bit more worrying. Same kind of attack (XSS) but look at the page(s) it can execute on. These pages collect the following data;
- Full name including title
- Your home phone number
- Your mobile number
- Your email address
- Your full postal address including post code
- as well as whatever you want to contact the council about
At a very minimum these details could be harvested and sold to direct marketers, at worst they could be used for identity theft or harassment. But you’re not going to be thinking about that when you enter the details because it will appear as if you are only giving those details to the council. When in actual fact anyone who wants to could intercept those details just be sending you a Birmingham Council website url with the required code in the url.
Some people are saying they can’t see the shortened links, so here they are in their full glory.
Original XSS injection
Newly discovered XSS injection (UPDATE: Minor adjustment as was not executing in firefox, think it was an encoding issue)
Hey Birmingham Council if you’re reading this. I’ll build you a proper website, and I’ll only charge £2.7 Million. I’ll even throw in a couple years maintenance. ;)