Network World
Saturday, October 11, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Community

NetworkWorld.com > Home > The CIA Hack...still working.

Navigation

The CIA Hack...still working.

By Noah Schiffman on Mon, 04/21/2008 - 6:36am.

Once this vulnerability was submitted by Harry Sintonen to Wired's Threat Level last week, it's been spreading like wildfire throughout the web.  Discovery of a new XSS is nothing new, but does become noteworthy when it involves a domain like CIA.gov.  While not a site 0wning exploit, it is an embarrassing example of poor input validation. 

A search form at their site provides the unfiltered option to inject script running character strings.  The query is processed and your customized site appears (at least that seems to be what most people are using it for-for those with more malicious intent....good luck, you'll probably win a free ride in a black Suburban).  You can check out a comical example here.  And yes, this is still working at the time of this post

This isn't the first time the CIA has had to say "Uh-oh" in response to their website.  Back in June 2007, John Leach revealed a XSS vulnerability on the CIA Freedom of Information webpage.  He even created a site that allowed people to publish their own documents to the CIA FOIA page. (No longer works)

I wanted to see if perhaps they were acknowledging and/or addressing this issue.  I searched their site, and under News & Information, I only found:

Their What's New on CIA.gov:

April 17: Project COLDFEET: Seven Days in the Arctic.

April 16: Chiefs of State and Cabinet Members of Foreign Governments, updated content posting.

Their latest press release page contained,

April 9: Transcript of Director Hayden's Interview on Meet the Press.

Nothing about this issue.

Fortunately, this site isn't associated with any sort of government agency that contains classified US documents.

What's their policy?  Don't ask...don't tell...don't validate input?  Or are they taking a page from the NSA's acronym of Never Say Anything?

Before we start criticizing the Chinese for the barrage of government related cyber attacks, maybe we should be shouldering some of the blame for lack of defenses. 

Yes, ponies are cute, but I'm getting tired of my European friends making fun of me.  Please recruit someone to fix this.

This blog will self destruct in 10 seconds.  Send your covert comments to: greyhat@computer.org

Reply

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

Latest software headlines from Network World:

Kernel developers, Wall Street to come together

Favorite Firefox extensions

Zoho launches e-mail app with offline, mobile access

Red Hat looks to mainstream markets for growth

Goldman Sachs leads $12 million investment in Nimsoft

  1   2   3   4   5   6   7   8   9  10  next 

Advertisement: