A security researcher has discovered several vulnerabilities in a platform used by local community websites in London which could allow remote hackers to impersonate councilors.
NeighbourNET runs nine sites in the capital which provide local news and information for their immediate surrounding area, including Fulham, Chiswick, and Wandsworth.
Membership of the sites is said to stand at 30,000.
However, security researcher, Andrew Tierny, highlighted several security issues in a blog posting on Sunday (h/t The Register).
For starters, it doesn’t require a password – just an email – to log-in, which raises the prospect of individuals being able to guess email addresses to log-in as others.
In addition, posting names can be spoofed on the site.
“The posting name and email is passed as a parameter when posting a message, and it can be altered to any value you want,” he explained. “This allows you to post as anyone else on the forum.”
There’s also no cross-site forgery protection.
“A user can visit another website, and that website can cause them to carry out actions on the site, such as posting messages,” explained Tierney.
Finally, the site allows for the posting of untrusted third-party content. Tierney explained that he has only tried this with HTML so far, but if it also allows this with Flash, JavaScript or other content it could allow hackers to deliver malware or enable cross-site scripting.
“A mess of security issues,” he concluded. “Considering that local councilors use these sites to communicate with the public, allowing impersonation is a serious issue.”
The issues were reported to NeighbourNET 60 days prior to Tierney going public with this info, although the firm has yet to fix them.
Although it acknowledged the security holes, it claimed that they’ve been there for some time without ever having been exploited "and there seems little incentive for anyone to try to do so.”
It continued:
“We have been for some time now working on completely overhauling site architecture and whilst this project has been ongoing for some time we are now talking in terms of months rather than years before implementation. This would close these security holes and others.”