6 posts • joined 28 Nov 2012
Harsh but hey, if it makes you feel better.
Re: Missing the point
With respect Richard, I haven't missed the point at all. The ICO don't collect/retain sensitive information by design... a design which can be altered by anyone using XSS.
The point is, the genuine ICO site may have been collecting personal information for the last 5 years... they just wouldn't know about it. In the screenshot above (twitter link), I've replaced the entire page with a fake article, but it could very easily be a malicious form which forwards the data to a remote location. As the data never hits the ICO's server, they'd be none-the-wiser.
Highly unlikely, sure... but possible. This is the lowest of the low hanging fruit and the ICO missed it, several times. The altruistic notion of the ICO "protecting us", from a technology standpoint at least, is laughable. The site had both stored & reflected XSS and an SQLi exploit in the data protection register, ironically... not to mention the SSL failures late last year. It's shambolic to say the least.
Model of best practice? Give me a break.
Funny you should mention that Frankee...
Re: Not quite sure why all the downvotes.
I hope it's not an N66U, or you've jumped out the frying pan, skipped the fire and landed in a volcano.
Quick review of this site for you good folks... with advice on KeePass & IdentitySafe.
Re: False assumptions?
I look forward to the book ;)
It's a good point though; which makes it all-the-more important to ensure that nobody can change details without authorisation.
Thank you John for publishing this story.