Wednesday, April 01, 2009

Hacker strikes web site of U.S. Intl. Religious Freedom Commission

Not only is USCIRF's Iraq recommendation being overlooked. So is its web security.

See the hack in action:

(Click for larger screenshot)

The ringtone and medication spam are viewable in Google's search results and in Google's cache, but not on the site proper.

This U.S. government site is a victim of the spam link injection hack. One victim provides further information on the attack, writing:
The hack I fell victim to involves some waste of space making secret changes to Wordpress source files and the Wordpress database enabling him to output a tonne of hidden links on all blog pages via a hidden Wordpress plugin.

It appears USCIRF itself uses Joomla, which is also vulnerable to the hack.

Brief research indicates that the hack is viewable only to search engine bots. Besides producing spam, the attack negatively affects page ranking in search engines and thus reduces the likelihood that internet users will find useful information from an affected site.

Given the mission of the U.S. Commission on Religious Freedom, it is hard not to speculate whether the site was deliberately targeted by freelance or government hackers who wished to bury information they found to be disparaging of their country.

In addition to adversely affecting the dissemination of USCIRF findings, the bad security practices which allowed this hack may render sensitive information vulnerable to exposure and may help make public the commission's reports before they are intended to be released.

The U.S. State Department isn't paying much attention to the USCIRF's Iraq recommendation. Thanks to these hackers, internet users won't be paying attention either.

No comments: