Security Holes Found in Local London Sites
A security researcher has discovered several vulnerabilities in a platform used by local community websites in London which could allow remote hackers to impersonate councilors.
Membership of the sites is said to stand at 30,000.
For starters, it doesn’t require a password – just an email – to log-in, which raises the prospect of individuals being able to guess email addresses to log-in as others.
In addition, posting names can be spoofed on the site.
“The posting name and email is passed as a parameter when posting a message, and it can be altered to any value you want,” he explained. “This allows you to post as anyone else on the forum.”
There’s also no cross-site forgery protection.
“A user can visit another website, and that website can cause them to carry out actions on the site, such as posting messages,” explained Tierney.
“A mess of security issues,” he concluded. “Considering that local councilors use these sites to communicate with the public, allowing impersonation is a serious issue.”
The issues were reported to NeighbourNET 60 days prior to Tierney going public with this info, although the firm has yet to fix them.
Although it acknowledged the security holes, it claimed that they’ve been there for some time without ever having been exploited "and there seems little incentive for anyone to try to do so.”
“We have been for some time now working on completely overhauling site architecture and whilst this project has been ongoing for some time we are now talking in terms of months rather than years before implementation. This would close these security holes and others.”
Source: Information Security Magazine