The majority of government websites include outdated programs with known vulnerabilities, researchers at the Optus Macquarie Cyber Security Hub say.
A three-year audit [pdf] of over 1800 externally-facing state, territory and federal government websites found that, despite overall improvements in cyber security, many pages remain vulnerable to attacks and insecure data transmission.
“The good news is that the security of government websites has improved significantly, rising from just 36 percent adopting the secure HTTPS protocol in 2018, to 84 percent using HTTPS in 2020,” Optus Macquarie Cyber Security Hub executive director, Professor Dali Kaafar said.
Of those that do use HTTPS, 3.9 percent of federal government sites and 7.4 percent of state and territory governments present insecure server configurations due to weaknesses in cryptographic mechanisms, support of vulnerable protocols or untrusted certificates, potentially placing client information at risk of being intercepted by bad actors, the researchers said.
The researchers said these issues could expose users to several threats, “especially cross-site scripting (XSS), in which remote attackers exploit the known vulnerabilities to inject arbitrary script/code in the webpage”.
“Considering the total set of Australian government websites (federal government and state/territory ones), we detected 2004 instances of vulnerable libraries across 1862 websites,” the researchers said.
“We find that … the majority of webpages (>57 percent) include at least one vulnerable library.
“Most vulnerabilities come with old versions of popular libraries such as jQuery (for example, more than 33 percent of Australian government websites use old versions 1.4.4 – 1.12.4, while the latest version is 3.4.1), jQuery UI (vulnerable library versions detected in 10 percent of websites) and Bootstrap (5.5 percent of government websites with outdated library versions).”
The researchers used a star rating system to compare state and federal cyber postures, with five stars representing “excellent” security.
Kaafar warned that despite the overall improvements in webpage security, “criminals only require a small crack in a window to get into the house”.
The federal government’s first annual cybersecurity threat report released in September showed there were 2266 cybersecurity incidents and 59,806 cybercrime reports logged over the last financial year, with a rise in Covid-19 themed scams from March onwards.