TeamHav0k’s OP XSS: Vulnerabilities in US Government Sites

After yesterday they revealed that many high-profile websites contained major cross-site scripting (XSS) vulnerabilities, hackers from TeamHav0k stepped it up a notch and initiated OP XSS 2.0 to show that even websites hosted on government (.gov) and education (.edu) domains are highly vulnerable.

In OP XSS 2.0, the hackers focused on websites belonging to the US government and education institutions, but this time their findings come with a message.

University websites such as the ones belonging to the Rochester Institute of Technology,Arizona State University, NYU Poly’s Center for Advanced Technology in Telecommunications, Michigan State University, Aurora University, DeVry University, University of Hawaii, University of Virginia and Carnegie Mellon University were all proved to be severely flawed from a security standpoint.

While this list may be impressive, the list of government websites is even more so. XSS vulnerabilities were found in Readiness and Emergency Management for Schools, Rhode Island Office of the Secretary of State, Library of Congress, Brookhaven National Laboratory, Virginia Employment Commission, hosted on a Commonwealth of Virginia subdomain, The Nation’s Report Card, and even Feds Hire Vets.

We have managed to contact one of the team’s leaders, Echelon, to find out more details on this latest operation. If after the first operation it seemed like they were a group of gray hats that wanted to show website administrators their assets were not properly secured, it turns out that they’re ready to step to the dark side at any time.

“One thing I will say for sure. If SOPA or PIPA ever resurface 359 companies and corporations will pay for their betrayal to freedom,” he said.

The government website were proven vulnerable to show that the hacker collective means business “and to show that security on a Government server is just pathetic.”

“The edu`s were just for the lulz though I reported them,” he added.

Besides the .edu and .gov websites, the popular comedy site of Turner Broadcasting Systems (TBS) and a free hosting site were also proven to be vulnerable. We have contacted the former to find out whether they plan on taking any measures to resolve the vulnerability.

XSS vulnerabilities are highly common in public websites. Unfortunately, they’re also highly serious because they could allow an attacker to execute arbitrary code and launch malicious campaigns targeting the sites' visitors.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.