Further analysis by Trend Micro researchers on the reported defacement of the Singapore Prime Minister Office website revealed that the website was not actually defaced — attackers abused the search function of the Singapore PMO website to display an image that looks like a hacked version of the site.
Figure 1. Image shown from within the PMO website that falsely claims the site was hacked
The attackers exploited an XSS vulnerability in the website’s search page by entering the code triggering the display of the image as the search string. This caused the web page to execute the code and display the image, along with text that said “ANONYMOUS SG WAS HERE BIATCH~”, giving the impression that the website was defaced.
We’d like to point out that the Singapore PMO website remains intact, and was not compromised in any way. Visitors of the site will not be able to see the image, since it is only accessible if the URL with the injected script embedded is accessed. The attackers drove users into the link with the displayed image by distributing the URL through social media.
This attack is a form of cross-site scripting or XSS and has been seen in many attacks in the past, including those that affected other government websites. XSS vulnerabilities are low-hanging fruits for attackers since the likelihood of a website having them is very high, thus it is seen as one of the easier routes in terms of attacking a website.
This ease in execution for hackers, however, is paralleled by great risks for the potential targets. While the attack on the PMO website only triggered the display of an image, we have seen other attacks that triggered redirections to malicious sites, leading visitors to malware.
We strongly recommend website developers to make sure that their sites are fully secure against XSS attacks through the following means:
- Review the website code regularly to make sure that it is configured to prevent code injection. This can be done by setting up limitations for input contents in order to reject special characters, as well as sanitizing output byHTML-encoding user input/strings.
- Scan for web application vulnerabilities to identify possible attack vectors and address them immediately.