News has come in this evening that Fine Gael’s website has been hacked at around 8pm on Sunday. It appears to be an XSS vulnerability that was exploited in the comment section. These types of hack attempts can occur when user input isn’t sanitised before being displayed on a webpage. The site was only launched last week, and this does come as a surprise.
Preventing Hacking Attempts
Any user generated content you display on your website should be checked for malicious scripts and content, as in the case of the Fine Gael’s website, it has ended up redirecting it to another website [seen below]. In essence it’s a rather straight forward hack :
- A user entered a comment, which contained the malicious code.
- And it was displayed on their website, without being checked, parsed or sanitised (i.e. potentially malicious tags being removed)
- When the site is loaded the comment is also loaded, but because it had the javascript tags, these were also run, and one of them redirected you to the “hack site”.
Screenshot of the hacked website
No doubt there will be calls for a full explanation as to how this could happen to Fine Gael’s website. For further reading about the hack attempt check threads on boards.ie / politics.ie , news on RTÉ / silconrepublic.com / thejournal.ie and on blogs like michele’s & nábídána‘s.
Update : As of 21:40 , January 9 2011, it seems that the website has been replaced with a holding template while the website is fixed.
Temporarily taken offline
Update : There are now reports that the hack also compromised some data on the website, an Irish journalist has received up to 4,000 details of users of the website.
