UK Parliament website hack exposes shoddy passwords

Lights on, no one home


Updated A vulnerability in the website of the UK Parliament appears to be exposing confidential information, including unencrypted login credentials, a Romanian hacker wrote on his blog.

The SQL injection vulnerability is on this page, the hacker, who goes by the moniker Unu, told The Register. By tacking database commands onto the end of the web address, it's possible to trick the site's backend server into coughing up data that was never intended to be published.

Based on a screen shot below, which was included on Unu's post, it appears Parliament's website has been coerced into divulging log-in credentials for at least eight accounts. The disclosure is troubling for several reasons.

First, there's the SQL injection hole itself. In the past, we've compared such attacks to Jedi mind tricks, in which weak willed websites are turned against themselves with the web-equivalent of a wave of a hand and a discreetly made suggestion. There's also the likelihood that the passwords, because they're being displayed in readable form, are being stored without the use of encryption. Keeping passwords in the clear is a big no-no in the world of security.

Finally, there are the passwords themselves. Because we don't want to give away potentially valid passwords, we won't say what they are. Suffice it to say most are trivial to guess. One of the few exceptions was a password that was the name of a popular super hero, never an acceptable access code.

That belonged to a user named "fulera." Softpedia speculates it belongs to one Alex Fuller, who according to a LinkedIn profile page, is currently employed as a senior web producer for the UK Parliament.

Of course, there's no way to know for sure how serious the leakage of such information is. It's possible the credentials were used for accounts that were discontinued weeks or months ago. A Parliament media officer contacted Tuesday said he'd have to look in to the matter and get back to us the following day.

How a Jedi mind trick can fell Parliament (click to enlarge)

But either way, the website reflects poorly on Parliament. As federal prosecutors in the US revealed two weeks ago, hackers carrying out the largest credit card heist ever prosecuted got a toehold into supposedly secure systems by exploiting similar SQL injection vulnerabilities.

What's more, Unu said he's left two advisory messages since Sunday and the Softpedia article also says the webmaster has been notified. Counting The Register's call on Tuesday, that's at least four warnings over 48 hours. And yet the hole was wide open as recently as Tuesday evening.

This article will be updated if the vulnerability is fixed. Until then, you may want to steer clear of the site altogether. ®

Update

A few hours after this article was published, the vulnerable page was taken down. "I can confirm that the information has been passed to our site developers who are working on a solution as a matter of urgency," the Parliament media officer wrote in an email to The Reg.

Broader topics

Narrower topics


Other stories you might like

  • Cooler heads needed in heated E2EE debate, says think tank
    RUSI argues for collaboration, while others note all 'scans' compromise secure encryption

    End-to-end encryption (E2EE) has become a global flashpoint in the ongoing debate between the security of private communications versus the need of law enforcement agencies to protect the public from criminals.

    The Register has written at length about this increasingly strident back-and-forth that is seeing proponents of both sides more entrenched in their beliefs.

    London-based think tank the Royal United Services Institute (RUSI) released a report [PDF] this week laying out the contours of the privacy-vs-safety debate, weighing the needs and exploring possible solutions.

    Continue reading
  • Borat RAT: Multiple threat of ransomware, DDoS and spyware
    Thought Sacha Baron Cohen was a terrible threat actor? Get a load of this: encrypts/steals data, records audio/video and controls keyboard

    A new remote access trojan (RAT) dubbed "Borat" doesn't come with many laughs but offers bad actors a menu of cyberthreats to choose from.

    RATs are typically used by cybercriminals to get full control of a victim's system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cybersecurity biz Cyble.

    "The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim's machine," the researchers wrote in a blog post, noting the malware is being made available for sale to hackers.

    Continue reading
  • Emma Sleep Company admits checkout cyber attack
    Customers wake to a nightmare as payment data pilfered from UK website

    Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website.

    Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to the theft of personal data" but not specifying in the message when it discovered the digital burglary.

    "This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not," the email to customers states.

    Continue reading
  • US says Russian ran online marketplace of stolen logins
    Cyber-souk offered bundle deals of account access and credit card info, says Uncle Sam

    A Russian national was indicted in the US on Tuesday for allegedly running an online marketplace selling access to credit card, shopping, and web payment accounts belonging to tens of thousands of victims.

    Igor Dekhtyarchuk, 23, who is on the FBI's Cyber's Most Wanted list, is suspected to be the mastermind of an underground cyber-souk dubbed "Marketplace A" by the US Department of Justice. The site, launched in 2018 and known as a carding shop in the cyber-security industry, sold login details for people's internet banking and retail accounts so that fraudsters could, for instance, go on spending sprees on a stranger's dime.

    Marketplace A functioned like any other online store, and even had bundle deals, such as an offer to buy access to two online retail accounts and get some credit card information thrown in, for the same victim, it was claimed. The credentials were priced according to a victim's account balances; miscreants allegedly had to pay more for data associated with accounts with more money to steal from.

    Continue reading

Biting the hand that feeds IT © 1998–2022