A prime website compromise

Last month, Google found badware on www.webchat.pm.gov.uk. Yes, that would be an official web chat server provided by the UK Prime Minister’s office for use by government officials to hold chats with citizens. (Kudos to the Brits, by the way, for engaging in this way with their constituents.)

While I’m sure there are some conspiracy theorists who would disagree, I’m fairly certain that the UK government didn’t set out to infect its citizens. Rather, this was a classic case of a legitimate website being compromised via a SQL injection due to some old, insecure code in the server application. Iain Ballard, application support manager for Twofour Digital, the company that provides the web chat site for the PM’s office, explains:

This department has grown from one developer two years ago, to several teams totalling nearly 30
full-time development staff. Part of this growth has been due to the absorption of two other companies: Makeni and HMC.

As tends to be the way, the older software is implemented in a range of old technologies and not in best practice.

…

With over 100 old products to be managed and limited resources, turn around times can be long. Some of the products to be maintained are large and complex systems used by clients such as the BBC, UK Parliament recording, Europarl TV, several local government agencies, Volkswagen, Audi and a host of content and media suppliers.

To the credit of Mr. Ballard and his team, they not only removed the infection, but they fixed the vulnerability that allowed the SQL injection in the first place. (Specifically, a parameter was being passed directly from the web page into a SQL query with no validation, a big no-no in secure development.)

It’s easy to think that only small websites run by individuals are vulnerable, but as this example shows, even top sites managed by professionals need ongoing, careful attention paid to security.