MI5 Website Breached By Hacker 71
Jack Spine writes "UK intelligence agency MI5 has admitted that its website security was breached by hacker group Team Elite. A member of the hacker forum posted details of the hack last week, which took advantage of a cross-site scripting vulnerability in the site's Google embedded search. MI5 admitted the breach on Wednesday, but said that the flaw had not been exploited maliciously."
this XSS is overrated (Score:1, Insightful)
I'm not sure I'd call exploiting an XSS vulnerability penetrating. Sure, it can be used with a hybridized CSRF attack to penetrate into otherwise restricted areas of a website (although I don't know of such areas on MI5's website), but XSS, in and of itself, is more akin to graffiti than anything else.
And, btw, I don't consider the social engineering element of XSS to be a particularly bonafide threat. If someone's going to provide all their personal info because the MI5 website, through XSS, asked for it, what's to stop them from doing it for some MI5 look-alike domain? <sarcasm>mi5verify.co.uk is asking for my info? Only MI5 could have MI5 in their domain!!!
Re:A bit misleading ... (Score:3, Insightful)
more so when you consider the fact that there is no login form on their entire website. if these hackers can exploit something that doesn't exist, they're truly the cream of the crop. what's next? sql injection on static html?
Someone is missing the point (Score:3, Insightful)