I think that El Jefe must’ve slept in as the daily news isn’t up yet…
I’m surprised at how quickly this story is spreading…
It seems that the CIA has had a bit of an XSS problem (as it turns out, for a while now) and Wired’s Threat Level thought it would be a good one to exploit — purely for the props ya know.
In an age where JavaScript is so ubiquitous that some websites won’t even load if you don’t enable in your browser, cross-site scripting hacks are everywhere – letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people’s code.
Most are run-of-the-mill and hardly worth writing about, but reader Harry Sintonen writes in with a vulnerability on the CIA’s site that THREAT LEVEL can’t resist.
For those of you who don’t see it after clicking through, notice that the links lead to the CIA’s site, but displays a recent THREAT LEVEL story. Here the CIA search box fails to rip out characters that will run as a script when the site tries to process the search query.
Ryan goes on to take a mea culpa for the Wired site having roughly the same problem, which I find to be really a mature response to an “oops”.
I’m a pretty ballsy guy, but I’m not sure I would’ve gone as far as to goof around with the nice folks at the Company.
What do you think of this sort of “information sharing and disclosure” in a public forum?
[tags]oops, cia, xss, threat level, wired[/tags]