Despite a string of warnings, high-profile Web sites remain vulnerable to damaging attacks by hackers who create pages designed to look as if they have been published by trusted sources.

The flaws, classed as code insertion or cross-site scripting vulnerabilities, have already been used to steal cookies and credit card numbers. In one case, a hacker published a bogus press release describing financial difficulties at computer storage firm Emulex. The release was reported by news agencies including Bloomberg, causing a sharp fall in Emulex's share price.

Despite a warning six months ago, IT Week has discovered that many leading sites, including that of the Washington Post, remain vulnerable. Last week we were able to create a URL beginning with www.washingtonpost.com that linked to an arbitrary story on another site, the result appearing to be a legitimate part of the newspaper's Web site. The newspaper failed to return calls requesting comment.

This type of flaw has been exploited by hackers who use email messages or Internet chatrooms to distribute URLs pointing to pages displayed via vulnerable Web sites.

The URL begins with the site's correct address, but also includes scripting code, such as JavaScript. The resulting page combines data from both the vulnerable site and from a site of the hacker's choosing.

Vulnerabilities are caused by poor Web site design, allowing hackers to insert scripting commands into Web pages, and by lax security settings in browsers. Although the Cert security Web site documents the flaw and explains how to tackle it, most Web sites are still not secure. "I can't think of a single Web site that we have checked in the past year that was not vulnerable," said Gunter Ollmann of security firm Internet Security Systems.

Fixing the flaw can be a complex task, as the bug may exist thousands of times within a site. One Webmaster said the best solution is to redesign the way that scripts are processed and to use a single servlet to check for malicious scripts on all pages. But the work may take many months, and Ollmann warned that even this painstaking approach was not guaranteed to guard against scripts in unusual file formats, such as Flash.

Many site designers are unfamiliar with URLs used in this way, but when IT Week supplied the relevant URL to the Webmaster of one vulnerable site, he produced a JavaScript fix in less than a day.

Legal issues are also raised. Hackers do not actually gain access to target Web sites, so charges under the Computer Misuse Act are unlikely to succeed. Moreover, the malicious script is delivered by the target sites, so victims could be liable. Firms may also be sued for libellous material spread in this way, and may face penalties under the Data Protection Act for mishandling customer data.

Have your say: contact IT Week