So although they are alright findings (arbitrary url redirect and dom-ish xss) the main take away from the article is that it is WAY too hard to contact anyone from any form of CERT in the UK whatsoever.
I've tried myself to report vulnerabilities[1] and it's nearly impossible to find even the most generic of contact emails. I usually end up passing the info on to friends who do more gov work than myself. There REALLY needs to be a generic cert/security@gov.uk email somewhere.
[1] not going out of my way to find anything, but in the past if i receive a (usually HMRC related) phishing email from a .gov domain, i'll try and dig up a CERT email, or JANET if it is university related.
while, yes I did want to make out in the second half just how difficult it was to get in contact with a CERT, it's sad to hear the other half put down to 'alright findings'...
Sure, the first issue that made me get into tax bug hunting was a run-of-the-mill open redirect, but the second issue is an interesting DOMXSS in an obfuscated vendor codebase with a WAF bypass alongside some technical commentary I worked really hard on that allows you to read and write financial data. It's sad to see that equally significant portion of my work dismissed as 'alright findings'.
Don't feel diminished by comments like that. From a technical point of view the issues are great, but I think the parent comment was referring to the overall 'jist' of the issues - no SQL injection, RCE or other 'stupid' findings that indicate serious underlying problems with the site. The issues are 'alright', which lies between 'silly' (banner disclosure) and 'everything is fucked' (db access)
Also, more generally, don't take internet comments personally. You know how much effort you put in, and your writing reflects that. You're on BBC news for god's sake, congratulations.
Also 2, amazing writeup. I love your style, it rings a bell. #ezbake ?
Pretty much exactly what Orf said below. The writeup was great and you did a fantastic job of knowledge sharing (which is what this is all about tbh). However the "alright" refers to the two aforementioned medium risk issues.
When i saw "serious vulnerabilities" on a BBC news site, i figured - especially with the open sourcing of payg/gov code, the recent struts vulnerability, etc. etc. - there was going to be something really major, and felt a bit clickbaited. Don't take it personally, as it was never aimed at being personal.
yeah, I'm sorry there ... I thought this was pointed directly at my article. I agree on the scale of things that could have potentially happened that these things are in middle of the scale.
But I do respectfully disagree that they can't be referred to as serious. It may be an XSS -- not critical in traditional bug taxonomies, and perhaps in an alternate future I could have dumped the whole DB but it is also an xss in a tax system.
>We've already started some experiments in this area with pioneering UK SME Netcraft. They're off looking for phishing hosted in the UK, webinject malware hosted in the UK and phishing anywhere in the world that targets a UK government brand. When they find it, they ask the hosting provider to take down the offending site. It's surprisingly effective and again generates data we can use. We'll definitely do more in this space.
I suspect you can forward these to scam@netcraft.com to get the upstream providers automatically notified and the site monitored until it's down.
It's not so much malware, it's mainly open relays which are being used to bypass spam filters on hotmail et al. due to coming from a "legit" .gov or .edu domain.
It has been a while since i've received one though in all fairness.
*edit - sorry just read it properly, both malware and generic phishing. Sorry! Even so though it would be really nice to have a streamlined process to go "hey, <shitty local council> has an open relay" whereby someone from within the UK gov could just forward on the email to the IT guy up there to at least make them aware of the issue.
> I suspect you can forward these to scam@netcraft.com to get the upstream providers automatically notified and the site monitored until it's down.
This is accurate. Source: worked at Netcraft until recently.
Also, if the automated system rejects your report (Netcraft handles an awful lot of reports, false positives are unavoidable), reply to the rejection message explaining that you think it shouldn't be rejected and your message will be read and handled by a technical human.
It's even worse when you actually have an issue with tax repayments due.
I don't have a UK passport and they had moved me to the passport authentication on the website. Literally had contacted them a good 5 times; each time waiting for at least 3 weeks for the reply, contstantly getting a pre-set response.
Ended up asking my accountant to tell me if my balance is not in check.
Can't say anything of the quality of the service itself though - that seems to be OK when it works. But their support is horrendous.
I've tried myself to report vulnerabilities[1] and it's nearly impossible to find even the most generic of contact emails. I usually end up passing the info on to friends who do more gov work than myself. There REALLY needs to be a generic cert/security@gov.uk email somewhere.
[1] not going out of my way to find anything, but in the past if i receive a (usually HMRC related) phishing email from a .gov domain, i'll try and dig up a CERT email, or JANET if it is university related.