A claim by the U.K. Daily Express Thursday that spy agency MI5’s ...

the Web site of the counter-intelligence and security agency and collected information about everyone who visited, Sophos Senior Technology Consultant Graham Cluley wrote on his blog. The newspaper also reported the hackers downloaded viruses onto the computers of visiting users, he said. But the story wasn’t what it seemed, he wrote later in “MI5 website hack overhyped by Daily Express.” There was a problem with the Web site, Cluley told us. Some “gray hat” hackers found a vulnerability and told MI5, which fixed it, he said. The hack wasn’t done maliciously and no information was taken, he said. Moreover, there’s no sensitive information on the Web site, he said. The hack “is an example of Cross Site Scripting (XSS),” said Matt Hampton, chief technology officer at security firm Imerja. MI5’s site wasn’t validating input before displaying it and, as a result, “malicious information could have been published, potentially causing a huge amount of embarrassment and potentially harm,” he said. The breach is important because MI5 should have been running a more secure site, Cluley said. More shocking, said Hampton, was the revelation that the government site hasn’t been audited for XSS vulnerability. All local government systems that face the Internet must be scanned for potential problems and it’s “strange, and indeed worrying, that a Central Government site hasn’t met these requirements,” he said. “Apologies dear Clu-blog readers, as I've let you down,” Cluley wrote.