Sunday, 3 January 2010

Spanish EU Council website is not secure?! (Updated 6x)


Update (Tuesday, 00:10): According to a statement of the Spanish government, there has been an XSS weakness in the presidency website.

However, this resulted not in a manipulation of the content of the site itself but in a manipulation of what the user was seeing on the screen (as you can see on the screenshots below). These manipulated websites are supposed to be only accessible through the specific URLs they are linked with and are thus no general threat for the users, the officials say in the statement. I hope I have translated this correctly; the original version applies.

There is also a very informative blog post in Spanish explaining the factual and technical background of this story (via a tweet of the Spanish state secretariat for communication), including the shortcomings and misinterpretations in the coverage of this story.

Update (20:10): The Spanish secretary of state for communication has been issuing a message on Twitter saying that the pictures below are photomontages.

However, these are original screenshots from subpages (not the frontpage!) of the presidency website (the links to these subpages are below in the text although they don't reproduce the original shots anymore). Other users on Twitter confirm this here and here.

More important than the Mr. Bean photo that has been taken up by many was the "hi there" window that opened in my browser when opening the second link provided below - this was definitely some kind of code because it triggered a direct browser activity, and I then had to close the little window that you see on the screenshot.

As I have said in my post, I am no technical expert and I cannot say how grave such kind of things are, but they happened in front of my eyes.

Update (12:00): Presidency website is down right now. (Back online; may have been a short problem but occurred here and in Brussels, and after it re-appeared, the "What is going to happen" category is empty again)

Update (11:30): It seems like the problem has been fixed, both the picture of Mr Bean and the "hi there" message have been removed, the links provided below just show ordinary "no results" pages now.


I am no expert in IT security, but it seems like the website of the Spanish EU Council Presidency is not secure, despite the fact that Spain spends almost 12 million Euros Spain spends 9.65 million Euro for web services (including security) during its presidency.

At the following web discussions - here, here and here - people say that the site can be attacked due to XSS, and they provided two links - here and here - that brought the following two results on the actual web page of the presidency (though on sub-sites, not on the frontpage), apparently externally embedded code showing a picture of Mr Bean and a message saying "hi there" (both screenshots made at 03/01/2010 23:00):




I suppose that this is no minor problem and needs rapid fixing.

PS.: I was made aware of this problem by alvaromillan on Twitter.

Update: I tried to send an email informing about the issue to the contact address of the Telefonica web team - ue2010 [..at..] telefonica.es - as provided on the Contact site of the presidency website, but the email was returned as "Unknown user". Very, very strange...

Update: At around 10 am I have sent an email to the Communication Advisor of the Spanish Representation informing about the issue.

15 comments:

Anonymous said...

For Spaniards it's especially funny that the image that appears is that of Mr. Bean, as parodies often our president Zapatero for his resemblance to the British humorist ;)

Good start for the Spanish presidency... ¬¬

Ralf Grahn said...

Julien,

As I noted in an 'obiter dictum' on my blog yesterday, the Spanish presidency website was down in the morning, Sunday.

But last time I looked, events had appeared, so all news is not bad.

Julien Frisch said...

Well, we noted the calendar thing on Twitter during the day yesterday.

But a security weakness that allows the inclusion of external code (if this is what actually happens) is a different kind of problem.

I've now sent an email to the webmaster since it seems the problems has still not been solved (both links work at 9:20 am).

Ralf Grahn said...

Julien,

The European Digital Agenda I've been writing about lately is in the hands of the Spanisch EU Council presidency.

It would be reassuring to know that they are able to structure, fill and manage even their own website in a meaningful and secure manner.

Martin said...

I suppose the adequate response should be: LOL.

Macarena Rodriguez said...

Julian, just for curiosity, have you received any reply to your mail?

Julien Frisch said...

Not yet.

Ralf Grahn said...

Julien,

The Spanish presidency website must be jinxed; I tried repeatedly just before 14:40 EET, and the pages were down again.

Ralf Grahn said...

Julien,

To Bean, or not to Bean ... but I hope that the Spanish government starts looking at the more serious issues of how its presidency pages aren't up to best standards with regard to materials, navigation etc.

Anonymous said...

That's not hacking. It's just searching for an HTML fragment.

Julien Frisch said...

I have never said it was hacking, I reported the discussions in the web fora, including the links, and made screenshots of what I actually saw, because there seemed to be some kind of issues I was not qualified to judge but still able to witness.

Brussels Blogger said...

I also noted already that the main email adress of the Spanish presidency is non-functional :(

What I found interesting: German media reports that the website contract for the 6 months costs about 12 mio Euros. This is the real shame, given its low level quality.

PS: Your story got a link in the FT Brussels blog

Anonymous said...

Still Woking, would you like to see more secured content?, hahaha

Here the resukt,
http://editurl.com/733

Unknown said...

the site is down again (18:40 CET Tuesday)...

Anonymous said...

rosetta stone spanish discount