Privacy and Security Flaw with CAB

by @edent | # # | Read ~136 times.

The Citizens' Advice Bureaux have just released a real-time view of what people are searching for on its site. It's heartbreaking.

who supplies my electricity
why do some children become looked after
will i get back pay on pip

It was, sadly, deeply insecure.

CAB XSS Example-fs8

It's falling foul of one of the most basic security flaws. It blindly echoes a user's input without checking or sanitising it.

CAB XSS Search-fs8

There's another potential flaw here. Privacy. Hopefully no one is dumb enough to type in their full name, address, or National Insurance number.

We've know for years that it's possible to reconstruct Personally Identifiable Information from "anonymous" searches.

Can a malicious user look at the searches and identify you? How specific is your issue?


Ask yourself this - how comfortable would you be with every single search you make being projected onto the side of a building?

A few minutes after reporting this, the security flaw was fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *