As reported by Reuters and the BBC, the official website set up by the Spanish government to mark it’s six-month presidency of the EU was briefly compromised yesterday afternoon.
Mischievous hackers reportedly took advantage of Cross-Site Scripting (XSS) vulnerabilities on www.eu2010.es and replaced an image of Spanish Prime Minister Jose Luis Rodriguez Zapatero with the smiling face of Rowan Atkinson in his Mr. Bean guise, complete with friendly greeting “Hi there!” Perhaps the hackers were hoping the attack would go unnoticed, as apparently there is a physical resemblance between Mr. Zapatero and Mr. Bean (of course I couldn’t possibly comment). The compromise only lasted a few hours until the original content was restored, by 4pm GMT yesterday afternoon, the site administrators were reportedly working on a fix.
In this instance there does not appear to have been any malicious intent, but the dangers of XSS vulnerabilities should not be underestimated. Cross Site Scripting vulnerabilities allow attackers to inject code into innocent web pages in which it would not otherwise appear. This can be used to steal information such as logins or banking credentials, redirect users to malicious web sites or even to directly infect visitors to the site. The real problem is that many web site admins are unaware of the dangers, and even some security companies continue to underestimate and downplay the importance of XSS vulnerabilities and attacks.
On an interesting side note, El Mundo also reported recently that more then 12 million Euros had been spent on “technical assistance and security for the website of the Spanish Presidency [of the EU]”. Again, I couldn’t possibly comment, but SecureSite and Web Application Security are both an awful lot cheaper than that…