The Web sites of Australia's two major political parties contain cross-site scripting (XSS) flaws, which could be exploited to fraudulently acquire political donations, say security experts.
A short line of script developed by a security enthusiast, Bsoric, causes the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"
Carl Jongsma, security expert at Sunnet Beskerming, said although the vulnerabilities on each party's Web sites have been exploited for comedic purposes, it would be possible to use the script to fraudulently target people for political donations.
"You would have the [Australian Federal Police] on to it pretty quick, but theoretically it's possible," Jongsma told ZDNet Australia.
People can expect to be approached by political parties for donations via e-mail since registered political parties are exempt from current anti-spam legislation.
The vulnerabilities were first published in August on popular security and hacking forum, Sla.ckers.org, however Sunnet Beskerming reported the vulnerabilities were still live earlier this week.
While the Liberal Party had fixed one vulnerability shortly after it was first discovered in August, the ALP's CIO, Dennis Perry, yesterday told ZDNet Australia that he was not aware of the problem. Today, the vulnerability was remedied.
Jongsma said the discovery of such cross-site scripting vulnerabilities generally indicate that more are likely exist on both parties' Web sites. He said security firms historically have reported these types of problems to Web site owners, however, today many have become reticent to due to the risk of being accused of creating the flaw themselves.
Cross-site scripting vulnerabilities are common to many Web sites, including government departments and large corporations, according to Chris Gatford from penetration testing firm Pure Hacking.
Gatford said he advises clients to use free vulnerability testing tools available through organisations such as OWASP.
