he vast majority of Italian institutional web portals are unsafe and could expose citizens and employees to malware and cyber attacks. This cry of alarm comes from computer security experts and activists of the mes3hacklab of Mestre , who conducted an independent investigation to verify the level of updating of the software on which the institutional pages are based.

The results of the research, which Agid was able to consult on an exclusive basis, were shared with the Italian Computer emergency response team for public administration (Cert-Pa) , which invited the administrations to verify that their website is always updated to the latest software release in use “. The analysis carried out shows that the vast majority of institutional web portals are classified as “unsafe”, for example, when they do not even use the common https protocol as in everyday life should be done by lending the side to data breach and computer’s crime.

Web platform vulnerabilities

They are called CMS (Content management system) and they are platforms that allow webmasters to manage an Internet site without having to know programming languages. The research examined the three most common CMS(Drupal, Joomla and the most famous WordPress) and has scanned all the domains and subdomains of 7554 of the 7954 Italian Municipalities, to check the status of the updates. Keeping an up-to-date system means protecting it from vulnerabilities as they are discovered by developers, so as to prevent it from being exposed to hacker attacks. 

But the data are alarming: on average, 67 percent of the analyzed And especially for those who use WordPress, 29 percent of the versions in use dates back to before 2015. Just as regards WordPress – which is also the most widespread CMS -, 35 percent of the sites that use it are updated until version 4.6, released in August 2016. Since then three new versions of the software have been released (not counting the intermediate updates), from 4.7 to 4.9. The risk in this case is that all the vulnerabilities discovered in the last twenty-four monthsmay still affect institutional sites . As in the case of the bug called “Rest-Api”, which allows a hacker to “deface” a site by changing its appearance and contents.

Until its discovery in early 2017 and the release of a WordPress version that solved the problem, this vulnerability was used to attack one and a half million sites worldwide. From the data collected by the research team, however, it emerges that 37.62 percent of the domains on which the sites of Italian municipalities reside would work with earlier versions of the software, making them still vulnerable to attack.