EU Presidency Website Defaced

Unidentified hackers have defaced the website of the European Union Presidency assumed by Spain at the beginning of this month. The picture of Jose Luis Rodriguez Zapatero, Spain's Prime Minister, was replaced with one depicting Mr. Bean, a world-renowned comedy character.

The Presidency of the Council of the European Union is a position assumed by the national governments of the member states for periods of six months. The government of Spain led by Prime Minister Jose Luis Rodriguez Zapatero assumed this position at the beginning of January 2009 and will pass it on to Belgium's government in July.

According to the BBC, the attack on the www.eu2010.es, the Spanish Presidency of the European Union website, took place sometime on Monday. Visitors to the website were greeted by a picture of Mr. Bean, the well known character played by English comedian Rowan Atkinson, and the message “Hi there.”

The physical resemblance between Mr. Zapatero and Rowan Atkinson's character has apparently been the source of many jokes and ironies in Spain. Fortunately, webmasters were alerted of the defacement rather quickly and took the website down for investigations.

Local media reports that the incident was facilitate by a cross-site scripting vulnerability. Most commonly known as XSS, this sort of flaws results from improper validation of user input into forms. Cross-site scripting is currently the most common type of vulnerability according to the Common Vulnerabilities and Exposures (CVE) database.

Exploiting such a bug is fairly trivial through URL manipulation, and can result in permanent changes being made to Web page, persistent XSS, or temporary ones, called reflected XSS. It appears that, in this case, it was the latter. A specially constructed URL was spread on social networks and blogs, but the code of the website itself was not altered in any way.

Some people speculated that this attack might be a response to recent news that the website and related services, such as video conferencing and event streaming, that will serve Spain throughout its presidency, will cost the government almost 12 million Euros. Fortunately, the incident was harmless, but it could have been much worse. Such flaws can just as easily be exploited to serve malware to visitors.