(Re)Curses!
Someone should report the ICO to the ICO
The Information Commissioner's Office (ICO) has finally fixed a security bug on its website - five years after it was first notified to the data privacy watchdog. IT consultant Paul Moore first warned the ICO about a cross site scripting (XSS) problem on its website in 2009. The flaw meant it was possible to introduce …
Paul Moore is missing the point rather: the most egregious thing that BPAS did wrong was retaining sensitive personal information for no reason whatsoever. It's not a 'my site is harder than your site' pissing contest.
Yes, the ICO should fix their buggy site; it's just good practice. However, it's not a crime to have a hackable web site: it's about the data not the technology.
With respect Richard, I haven't missed the point at all. The ICO don't collect/retain sensitive information by design... a design which can be altered by anyone using XSS.
The point is, the genuine ICO site may have been collecting personal information for the last 5 years... they just wouldn't know about it. In the screenshot above (twitter link), I've replaced the entire page with a fake article, but it could very easily be a malicious form which forwards the data to a remote location. As the data never hits the ICO's server, they'd be none-the-wiser.
Highly unlikely, sure... but possible. This is the lowest of the low hanging fruit and the ICO missed it, several times. The altruistic notion of the ICO "protecting us", from a technology standpoint at least, is laughable. The site had both stored & reflected XSS and an SQLi exploit in the data protection register, ironically... not to mention the SSL failures late last year. It's shambolic to say the least.
Model of best practice? Give me a break.