By John Leyden
27th August 2009
Updated - Cross-site scripting (XSS) vulnerabilities on the National
Health Service's website created a means to send spoofed emails with
dodgy medical advice. The vulnerabilities, now fixed, also created a
potential means to run information-harvesting attacks.
Various security shortcomings on the main nhs.uk website established a
means for dodgy sorts to present content of their choosing in the
context of the NHS site. The flaws were discovered by Phillip Clarke, a
director at a small UK-based software development firm, who began
looking into the issue after reading about recent cross-site scripting
flaws on the websites of MI5 and the MoD.
Clarke also found similar XSS flaws on the website of the National
Institute for Health and Clinical Excellence in the UK (NICE), the
organisation that publishes clinical appraisals of medical treatments.
Subscribe to InfoSec News