NeighbourNET says claims of vulnerability are rubbish

Andrew Tierney, a security consultant, has stated that web platform NeighbourNET has horrid vulnerabilities that could compromise users.

The company’s sites are used for local news services, often by councils and councillors to communicate with residents. London districts preferred with sites powered by the service include Shepherds Bush, Wimbledon, and Hammersmith.

Tierney says that before publishing his findings overnight, he disclosed the flaws to NeighbourNet two months ago.

The NeighbourNET platform is susceptible to cross-site request forgery, username tricking, and logins that require only an email to access forum accounts, according to the consultant.

“It would be fair to say the visual presentation of the sites hints at there being security problems,” Tierney says.

“A mess of security issues – considering that local councillors use these sites to communicate with the public, allowing impersonation is a serious issue.

“A user can visit another website, and that website can cause them to carry out actions on the site, such as posting messages.”

Thanks to absence of whitelisting, it also lets untrusted third party content to be inserted into forum posts.

“This has only been tested with plain HTML, but if JavaScript, Flash or other content could be embedded, this would lead to cross-site scripting or malware delivery to users.”

In a correspondence written by NeighbourNET to The Register, says that it was directed to Tierney.

That email in part, says that NeighbourNet’s development team “acknowledged that you have identified some potential security holes but they have existed for a long time without ever been exploited and there seems little incentive for anyone to try to do so.”

“We have been for some time now working on completely overhauled site architecture and whilst this project has been ongoing for sometime we are now talking in terms of months rather than years before implementation. This would close these security holes and others,” says the email to Tierney we’ve been provided.

NeighbourNET also told The Register that the company’s site does not include any “nasty vulnerabilities that could compromise users”.

“Our sites have been operating for over a decade without a major issue with security. We note that Mr Tierney fails to give a single example of any actual occasion on which security is compromised,” the company says.

Source: The Register