Posts Tagged: unsecured state

Secure The Police!

City Of London non-secure-fs8

Imagine, just for a moment, you suspect that a friend of yours is a criminal. Perhaps they are running an illegal proxy, or hosting a search engine, or maybe criticising a dangerous cult, or even taking suspicious photographs. These are all - apparently - within the remit of The City Of London Police. Better report... Read more »

XSS at Food.gov.uk - disclosed and fixed

Food.gov.uk XSS screenshot

A few months ago, I was attending the National Hack The Government event. I was showing off some of the work I had been doing on "The Unsecured State" - looking at *.gov.uk website security. I was chatting to an envoy from the Food Standards Agency who was eager to hear more about what I'd... Read more »

Reactions to The Unsecured State

Computer Active NHS

It has been an intense few months digging through the security failings of the UK Government’s websites and trying to responsibly disclose them. It culminated with a week of blog posts exposing the vulnerabilities - and an award winning hackathon project. So what has been the reaction? The Good Privately, I've been contacted by people... Read more »

Introducing Corkr at #NHTG14

What a crazy weekend! I made the last minute decision to attend Rewired State's "National Hack The Government 2014" hackathon. Rather than hack on any of the provided datasets, I wanted to work on an interesting way to present all the security flaws I had found in Government websites. I teamed up with Mark, Marcello,... Read more »

The Unsecured State Part 5 - Abandoned Inquiries

Hutton Spam

This is part 5 of a series of blog posts looking at the security of the UK Government's web infrastructure. The primary cause of the vulnerabilities I've exposed over this series is abandonment. In a flurry of excitement a website is commissioned and created. Then, as time wears on, people begin to drift away from... Read more »

The Unsecured State Part 4 - UK Government Websites Spewing Spam

Hacked Gov UK Site in search listings-fs8

This is part 4 of a series of blog posts looking at the security of the UK Government's web infrastructure. Over the last few days, I've shown that hundreds of websites run by branches of the UK state are in a perilous state of disrepair. There are multiple sites with hugely embarrassing XSS flaws, running... Read more »

The Unsecured State Part 3 - 2,000+ NHS Security Vulnerabilities (Disclosed)

Breast Milk Video XSS

This is part 3 of a series of blog posts looking at the security of the UK Government's web infrastructure. Britain's National Health Service is riddled with old and insecure WordPress-based websites. Many of these sites have severe flaws including being vulnerable to XSS attacks. There is absolutely no suggestion that patient data or confidentiality... Read more »

The Unsecured State Part 2 - EduBase XSS (Disclosed & Fixed)

Edubase XSS

This is part 2 of a series of blog posts looking at the security of the UK Government's web infrastructure. Many XSS flaws rely on altering the GET parameters of a request. Some webmasters seem to think that if their forms only use POST they will be immune from the XSS. This is not the... Read more »