The Channel logo

News

By | Darren Pauli 11th July 2016 06:01

White hat banned for revealing vulns in news sites used by London councillors

Vendor claims claims of vulns are tosh

Security consultant Andrew Tierney has claimed that web platform NeighbourNET contains nasty vulnerabilities that could compromise users.

The company's sites are used for local news services, often by councils and councillors to communicate with residents. London districts favoured with sites powered by the service include Shepherds Bush, Wimbledon, and Hammersmith.

Tierney says he disclosed the holes to NeighbourNet two months before publishing his findings overnight.

The consultant says the NeighbourNET platform is vulnerable to cross-site request forgery, username spoofing, and logins that require only an email to access forum accounts.

"It would be fair to say the visual presentation of the sites hints at there being security problems," Tierney says.

"A mess of security issues - considering that local councillors use these sites to communicate with the public, allowing impersonation is a serious issue.

"A user can visit another website, and that website can cause them to carry out actions on the site, such as posting messages."

It also allows untrusted third party content to be embedded into forum posts thanks to a lack of whitelisting.

"This has only been tested with plain HTML, but if JavaScript, Flash or other content could be embedded, this would lead to cross-site scripting or malware delivery to users."

NeighbourNET has written to The Register with correspondence it says was directed to Tierney.

That email says, in part, that NeighbourNet's development team "acknowledged that you have identified some potential security holes but they have existed for a long time without ever been exploited and there seems little incentive for anyone to try to do so."

"We have been for some time now working on completely overhauled site architecture and whilst this project has been ongoing for sometime we are now talking in terms of months rather than years before implementation. This would close these security holes and others," says the email to Tierney we've been provided.

NeighbourNET also told The Reg that the company's sites contain no "nasty vulnerabilities that could compromise users".

"Our sites have been operating for over a decade without an major issue with security. We note that Mr Tierney fails to give a single example of any actual occasion on which security is compromised," the company says. ®

comment icon Read 62 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'