Security flaw left Parliament website open to hackers

'Depressing basic error' could have been used to distribute malware within parliament, reveals programmer Terence Eden

The UK Parliament website until recently contained security flaws that left it open to exploitation by hackers and other cyber criminals.

A well-known coding vulnerability allowed visitors to use the website's internal search engine to manipulate code into displaying new types of information including text, images, video and even requests for entering passwords.

The latter could have potentially been used as a method to dupe users within Parliament into revealing their login credentials, giving hackers an inroad into the heart of British government.

The loophole - which has now been closed - was revealed in a blog by computer programmer Terence Eden, who said the "basic error" was "depressing to see". The revelation comes a month after it was revealed a coding error redirected visitors to the NHS website to malicious websites containing malware and advertising.

Eden demonstrated how the XSS (cross-site scripting) flaw can be exploited to display new images, text and videos on Parliament's website in a fashion employed by hacktivist groups like Anonymous. Incidents like these, while not damaging to www.parliament.uk users, would have been embarrassing for government officials if such a hijack had occurred.

However, Eden warned that while the loophole existed, it could have been used for much more nefarious means by hackers looking for more than "a bit of mischief," including attempting to sell products or distribute malware.

"Even if they can't run JavaScript, they can still run pretty convincing adverts, or direct people to install malware, or a whole host of other nasty things. Because the domain is parliament.uk it carries with it a significant level of trust," he wrote.

"Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam.

"Or, perhaps they are evil. They can send an email to every MP saying: Please Reset your password - visit http://...." Eden continued.

"Before you know it, they've gathered the Minister for Administrative Affairs' private details and are plundering Sir Humphrey's vaults," he said.

Eden added the flaw was disclosed to Parliament on Friday 7 February 2014, although it was not confirmed the issue was fixed until Tuesday 11 February.