The Web sites of Australia's two major political parties contain cross-site scripting (XSS) flaws, which could be exploited to fraudulently acquire political donations, say security experts.

A short line of script developed by a security enthusiast, Bsoric, causes the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"

Carl Jongsma, security expert at Sunnet Beskerming, said although the vulnerabilities on each party's Web sites have been exploited for comedic purposes, it would be possible to use the script to fraudulently target people for political donations.

"You would have the [Australian Federal Police] on to it pretty quick, but theoretically it's possible," Jongsma told ZDNet Australia.

People can expect to be approached by political parties for donations via e-mail since registered political parties are exempt from current anti-spam legislation.

The vulnerabilities were first published in August on popular security and hacking forum, Sla.ckers.org, however Sunnet Beskerming reported the vulnerabilities were still live earlier this week.

While the Liberal Party had fixed one vulnerability shortly after it was first discovered in August, the ALP's CIO, Dennis Perry, yesterday told ZDNet Australia that he was not aware of the problem. Today, the vulnerability was remedied.

Jongsma said the discovery of such cross-site scripting vulnerabilities generally indicate that more are likely exist on both parties' Web sites. He said security firms historically have reported these types of problems to Web site owners, however, today many have become reticent to due to the risk of being accused of creating the flaw themselves.

Cross-site scripting vulnerabilities are common to many Web sites, including government departments and large corporations, according to Chris Gatford from penetration testing firm Pure Hacking.

Gatford said he advises clients to use free vulnerability testing tools available through organisations such as OWASP.

Related links

Leave a comment

You must read and type the 6 chars within 0..9 and A..F

* indicates mandatory fields.

Log in


Sign up | Forgot your password?

Blogs

RSS feed

  • Staff Aussies to pay more for Win 7

    If you are looking to make some money in these troubled times, perhaps importing copies of Windows 7 could be for you. Read more »

    -- posted by Staff

  • Staff Firefox: Greens want it, 3.5rc2 not up to par

    This week's roundup looks at the situation surrounding a campaign to change Outlook HTML renderer, a Greens MP wants to install Firefox but is restricted and all the photos from the iPhone 3GS launch. Read more »

    -- posted by Staff

  • Chris Duckett Microsoft misses the Outlook point

    Ask designers which mail program is the bane of their existence, and you'll find that Outlook tops the list. The reason why the most popular email reader is also the most painful is simple: it uses Word to render HTML emails. Read more »

    -- posted by Chris Duckett

What's on?