The CIA Hack...still working.

Once this vulnerability was submitted by Harry Sintonen to Wired's Threat Level last week, it's been spreading like wildfire throughout the web.  Discovery of a new XSS is nothing new, but does become noteworthy when it involves a domain like CIA.gov.  While not a site 0wning exploit, it is an embarrassing example of poor input validation. 

A search form at their site provides the unfiltered option to inject script running character strings.  The query is processed and your customized site appears (at least that seems to be what most people are using it for-for those with more malicious intent....good luck, you'll probably win a free ride in a black Suburban).  You can check out a comical example here.  And yes, this is still working at the time of this post

This isn't the first time the CIA has had to say "Uh-oh" in response to their website.  Back in June 2007, John Leach revealed a XSS vulnerability on the CIA Freedom of Information webpage.  He even created a site that allowed people to publish their own documents to the CIA FOIA page. (No longer works)

I wanted to see if perhaps they were acknowledging and/or addressing this issue.  I searched their site, and under News & Information, I only found:

Their What's New on CIA.gov:

April 17: Project COLDFEET: Seven Days in the Arctic.

April 16: Chiefs of State and Cabinet Members of Foreign Governments, updated content posting.

Their latest press release page contained,

April 9: Transcript of Director Hayden's Interview on Meet the Press.

Nothing about this issue.

Fortunately, this site isn't associated with any sort of government agency that contains classified US documents.

What's their policy?  Don't ask...don't tell...don't validate input?  Or are they taking a page from the NSA's acronym of Never Say Anything?

Before we start criticizing the Chinese for the barrage of government related cyber attacks, maybe we should be shouldering some of the blame for lack of defenses. 

Yes, ponies are cute, but I'm getting tired of my European friends making fun of me.  Please recruit someone to fix this.

This blog will self destruct in 10 seconds.  Send your covert comments to: greyhat@computer.org

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)