Operation XSS, the operation launched by the grey hats from TeamHav0k, continues, the hackers managing to identify cross-site scripting vulnerabilities in the official websites of governments from all over the world, including countries such as United Kingdom, France, Brazil and the United States.
“Well here are some XSS's from around the world! We have them on the French, United Kingdom and the United States(Cali) governemtn's. Shout out to: Pi, Zer0Pwn, SquirmyBeast, Kobez, Mobil3_xT You guys are all awesome and have all helped me out in the past :) thanks guys,” the hackers wrote in a Pastebin post they provided us with.
Besides their statement, the post also contains a proof-of-concept to show that the site of France’s Ministry of Agriculture, Food, Fishing, Rural and Regional Development (agriculture.gouv.fr) contains a major XSS flaw that can be utilized by an attacker to take over an unsuspecting user’s session.
A similar vulnerability was identified on the official site dedicated by the French government to outdoor sports (sportsdenature.gouv.fr).
Moving on to the Brazilian government, the hackers discovered an XSS flaw that affects the website managed by the country’s National Agency for Electrical Energy (aneel.gov.br).
The domains owned by the Newport City Council (newport.gov.uk) and the Marine Accident Investigation Branch (maib.gov.uk) from the United Kingdom are on the list of potential victims.
Finally, the US site appointed as being insecure belongs to the California Department of Pesticide Regulation (calpip.cdpr.ca.gov), the organization that’s in charge of monitoring the use of pesticide and its effects on public safety.
Hopefully, the aforementioned organizations will take the necessary steps to address these issues to ensure that their visitors are protected against potential attacks. As they accustomed us, TeamHav0k will probably revisit these vulnerabilities and notify us when the security holes are patched up.