Feeds

back to article ICO plugs XSS vuln in its website. Only took watchdog FIVE YEARS

The Information Commissioner's Office (ICO) has finally fixed a security bug on its website - five years after it was first notified to the data privacy watchdog. IT consultant Paul Moore first warned the ICO about a cross site scripting (XSS) problem on its website in 2009. The flaw meant it was possible to introduce arbitrary …

COMMENTS

This topic is closed for new posts.
Silver badge

(Re)Curses!

Someone should report the ICO to the ICO

3
0

Re: (Re)Curses!

Funny you should mention that Frankee...

https://twitter.com/Rambling_Rant/status/449514356389064704

1
1
Anonymous Coward

Re: (Re)Curses!

Downvote for plugging your own twitter user, instead of just linking to the image.

0
0

Re: (Re)Curses!

Harsh but hey, if it makes you feel better.

1
0
Anonymous Coward

ICO ==

Chocolate Fireguard

1
0

Missing the point

Paul Moore is missing the point rather: the most egregious thing that BPAS did wrong was retaining sensitive personal information for no reason whatsoever. It's not a 'my site is harder than your site' pissing contest.

Yes, the ICO should fix their buggy site; it's just good practice. However, it's not a crime to have a hackable web site: it's about the data not the technology.

0
1

Re: Missing the point

With respect Richard, I haven't missed the point at all. The ICO don't collect/retain sensitive information by design... a design which can be altered by anyone using XSS.

The point is, the genuine ICO site may have been collecting personal information for the last 5 years... they just wouldn't know about it. In the screenshot above (twitter link), I've replaced the entire page with a fake article, but it could very easily be a malicious form which forwards the data to a remote location. As the data never hits the ICO's server, they'd be none-the-wiser.

Highly unlikely, sure... but possible. This is the lowest of the low hanging fruit and the ICO missed it, several times. The altruistic notion of the ICO "protecting us", from a technology standpoint at least, is laughable. The site had both stored & reflected XSS and an SQLi exploit in the data protection register, ironically... not to mention the SSL failures late last year. It's shambolic to say the least.

Model of best practice? Give me a break.

2
0
Bronze badge

Turning circle of a...

Turning circle of a... gov department.

0
0
Silver badge

Re: Turning circle of a...

Is that like a sit-and-spin?

0
0
Silver badge
Trollface

Re: Turning circle of a...

meatspin ... never mind shock sites are not cool.

0
0
This topic is closed for new posts.