- Joined
- Oct 26, 2008
- Messages
- 2,247
- Points
- 48
http://www.tremeritus.com/2013/11/15/google-refutes-idas-accusation/
Google refutes IDA’s accusation
Last week, PMO and Istana websites were “compromised”.
In the early hours of Friday (8 Nov), IDA issued a statement saying that a subpage for search on the PMO website was reported to be compromised:
A vulnerability in that subpage was exploited to display pages from other sources. This vulnerability is known as cross-site scripting. The PMO main website is still working, and we are working to restore the page that has been compromised. The matter is under investigation.
However, PMO main site remained working.
At a media briefing in Friday afternoon, IDA then blamed a vulnerability in the Google search bar used by PMO and Istana websites, which allowed the sites to be compromised [Link]:
“THE websites of the Prime Minister’s Office (PMO) and Istana were not hacked but were compromised, the Infocomm Development Authority of Singapore (IDA) said yesterday.
A vulnerability in the Google Search bar embedded on the websites’ subpage had been exploited by unknown parties in two attacks, the IDA said.”
What happened is that online visitors searching within PMO and Istana websites were redirected to view content and messages on another webpage resembling the two sites. The visitors thought that the websites had been defaced when in fact, they continued to work properly.
On Wed (13 Nov), a Google spokesperson refuted IDA’s charges:
“It has come to our attention that the PMO’s website recently experienced an attack in the search functionality of the site run by Google’s Custom Search Engine site-search widget.”
“After investigation, it appears that the code in the Google custom search engine is safe and the vulnerability lies with the coding on the webpage.”
In other words, IDA may have wrongly accused Google. Google said the vulnerability lies with how the webpages of PMO and Istana websites were coded.
Typically, when a visitor enters an input into the Google custom search engine which, in this case, was used by PMO and Istana websites, the web programmer should check and make sure that the search data is validated before proceeding to pass the data to the search engine. Apparently, this was not done for PMO and Istana websites.
In this regard, the lack of input validation allowed the vulnerability to be exploited. It has nothing to do with the Google custom search engine.
It’s not known who is doing the coding for the government websites. The job could be outsourced to programmers outside of the government.
IDA said the vulnerability has since been patched.
Google refutes IDA’s accusation
Last week, PMO and Istana websites were “compromised”.
In the early hours of Friday (8 Nov), IDA issued a statement saying that a subpage for search on the PMO website was reported to be compromised:
A vulnerability in that subpage was exploited to display pages from other sources. This vulnerability is known as cross-site scripting. The PMO main website is still working, and we are working to restore the page that has been compromised. The matter is under investigation.
However, PMO main site remained working.
At a media briefing in Friday afternoon, IDA then blamed a vulnerability in the Google search bar used by PMO and Istana websites, which allowed the sites to be compromised [Link]:
“THE websites of the Prime Minister’s Office (PMO) and Istana were not hacked but were compromised, the Infocomm Development Authority of Singapore (IDA) said yesterday.
A vulnerability in the Google Search bar embedded on the websites’ subpage had been exploited by unknown parties in two attacks, the IDA said.”
What happened is that online visitors searching within PMO and Istana websites were redirected to view content and messages on another webpage resembling the two sites. The visitors thought that the websites had been defaced when in fact, they continued to work properly.
On Wed (13 Nov), a Google spokesperson refuted IDA’s charges:
“It has come to our attention that the PMO’s website recently experienced an attack in the search functionality of the site run by Google’s Custom Search Engine site-search widget.”
“After investigation, it appears that the code in the Google custom search engine is safe and the vulnerability lies with the coding on the webpage.”
In other words, IDA may have wrongly accused Google. Google said the vulnerability lies with how the webpages of PMO and Istana websites were coded.
Typically, when a visitor enters an input into the Google custom search engine which, in this case, was used by PMO and Istana websites, the web programmer should check and make sure that the search data is validated before proceeding to pass the data to the search engine. Apparently, this was not done for PMO and Istana websites.
In this regard, the lack of input validation allowed the vulnerability to be exploited. It has nothing to do with the Google custom search engine.
It’s not known who is doing the coding for the government websites. The job could be outsourced to programmers outside of the government.
IDA said the vulnerability has since been patched.
