[ISN] Defense Intelligence Agency Fixes Risky Web Site Code

From: InfoSec News <alerts_at_private>
Date: Mon, 3 Nov 2008 02:28:04 -0600 (CST)

By Thomas Claburn
October 31, 2008 05:05 PM

The Defense Intelligence Agency Web site, until earlier this week, 
exposed job applicants to potential privacy and security risks because 
it included a link to JavaScript code hosted on a third-party Web site.

While there's no evidence that the site leaked personal information, the 
presence of a call to execute JavaScript code that resides on a 
Statcounter.com server in Ireland provided a weak link in the security 
chain that could have been exploited to provide potentially valuable 
foreign intelligence about future DIA personnel.

Security researcher Bipin Gautam sent an e-mail to the Full Disclosure 
security mailing list earlier this week outlining his concerns.

In a follow-up e-mail to InformationWeek, he explained the issue. "If a 
Web site includes third-party JavaScript like stat counters, 
advertisement scripts, [or] banners called from third-party servers, the 
Web site is at risk of having to rely on the third party as well for 
overall security assurance of its Web site," he said.


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
Received on Mon Nov 03 2008 - 00:28:04 PST

This archive was generated by hypermail 2.2.0 : Mon Nov 03 2008 - 00:35:56 PST