NeighbourNET (caution, awful Flash splash page) is a platform used to power a number of local community websites in London:
It would be fair to say the visual presentation of the sites hints at there being security problems.
1. No passwords required for login
When you login to the site, all you need is an email address. There are no passwords at all.
2. Posting name can be spoofed
The posting name and email is passed as a parameter when posting a message, and it can be altered to any value you want.
This allows you to post as anyone else on the forum.
3. No cross-site request forgery protection
No requests to the site have any cross-site request forgery protection.
A user can visit another website, and that website can cause them to carry out actions on the site, such as posting messages.
4. Allows embedding of untrusted third-party content
The site embeds it’s own content using a URL passed as a GET parameter.
A mess of security issues. Considering that local councillors use these sites to communicate with the public, allowing impersonation is a serious issue.
The operators of the sites were informed on 4th May, so after 60 days they are being disclosed.
03/05/2016 – first email sent to NeighbourNET
04/05/2016 – email response received, issues sent by email, receipt acknowledged
17/05/2016 – chase on further response
14/06/2016 – chase on further response and state disclosure date of around 04/07/2016. Email acknowledged.
17/06/2016 – get response from vendor:
Chatted to the development team about the issues you raised.
They acknowledged that you have identified some potential security holes but they have existed for a long time without ever been exploited and there seems little incentive for anyone to try to do so.
We have been for some time now working on completely overhauled site architecture and whilst this project has been ongoing for sometime we are now talking in terms of months rather than years before implementation. This would close these security holes and others.