Wanting to further prove that government websites are not secure, hackers from TeamDX found a persistent cross-site scripting vulnerability in the official website of City of Glendale, California.
No damage whatsoever was done to the site, the only reason why the operation took place was to show how “security is just an illusion.”
One of the hackers contacted me after he found the XSS flaw in the site’s search engine and said that he was amazed to how outdated the website’s security was.
“They are running .ASP net which is used in the 90s, haven't bothered to update to PHP which is more secure. Running Windows on an important website with .ASP is asking for trouble,” said the hacker.
Even though statistically speaking XSS vulnerabilities are the most common in websites today, few people realize how dangerous such a flaw really is.
“An attacker could take that, as it is a persistent XSS vulnerability, and infect a system administrator’s machine, or the ones of the people who attempt to search thru their engine,” he said.
The hacker explains that in these types of vulnerabilities, malicious code can be easily injected, in what’s called a Java drive-by, to infect the computers of unsuspecting users. In these attacks, a Java message pops up, prompting for an update, and once the so-called update is complete, the device is plagued.
“Usually viruses would show up as executable files and if you are the usual web surfer who is used to malware threats every day, you should have some common sense. However, Java drive-by updates are what get those, ‘the system administrators,’ infected.”
Finally, he states his reasons for not causing any real damage to the website.
“Only reason I didn't cause damage was to spook the Police. Not every Government website is secure. Although, I could’ve had several occasions of infecting computers and much more. But I chose not to,” he concluded.
The City of Glendale was alerted on the issue and hopefully they’ll take the necessary steps to prevent any unfortunate incidents.
Update. City of Glendale representatives contacted me to say that they're aware of the vulnerability and they have taken steps to resolving the issue.