Teen admits hacking Istana site for 'a joke'

Melvin Teo, 18, is the second person to be convicted of unauthorised use of a computer service by hacking into a government website.
Melvin Teo, 18, is the second person to be convicted of unauthorised use of a computer service by hacking into a government website.ST FILE PHOTO

A student has admitted hacking into the Istana's website in what he claimed was a "harmless joke".

Melvin Teo Boon Wei yesterday became the second person to be convicted of unauthorised use of a computer service by hacking into a government website.

The Institute of Technical Education (ITE) College Central student carried out a cross site scripting (XSS) attack on the portal on Nov 8 last year after communicating with Delson Moo Hiang Kng, 43, who was fined $8,000 on June 5 for a similar cyber attack around the same time.

The 18-year-old first-year Nitec electronics student admitted to one of four charges of gaining unauthorised access to the server that hosted the Istana webpage at about 12.45am on Nov 8.

He hacked into the site to display the phrase "Melvin Teo For The Win!" with two caricatures of himself and some Chinese characters.

The court heard that XSS attacks are performed by "injecting" a script into the Web application by exploiting a security vulnerability - in this case the Google search page embedded in the Istana website.

Instead of entering pure text search terms, Teo entered hypertext markup language (HTML) code that he had crafted.

Deputy Public Prosecutor Kumaresan Gohulabalan said Teo learnt about the vulnerability on the Istana website from other users on Facebook.

At the time, XSS scripts that had been used to compromise the Google search page on the Prime Minister's Office (PMO) website were being disseminated on the Internet.

After the search function on the PMO website was disabled, Teo injected the modified script into the Istana website.

DPP Kumaresan said that although Teo's defacement did not cause any damage to the contents of the Istana server, it had inconvenienced the website operator as well as potential users.

"XSS attacks can be used for more pernicious purposes than just defacing Web applications," he said.

"Attackers can create pages that look identical to Web applications where victims enter confidential personal information and, subsequently, use XSS to steal this information - such acts would be a form of 'phishing'."

He argued it was in the public interest to ensure cyber security and public confidence.

Teo's lawyer V. Esvaran said his client did not realise the serious nature of the offence at the time. He was very contrite, remorseful, ashamed and regretted his folly.

"The accused's naivety and curiosity, coupled with the encouragement and influence of mature, older individuals and his belief that he was only causing a harmless joke, caused him to commit the offence," he said.

Community Court Judge Lim Keng Yeow called for a probation report on Aug 4.

The maximum penalty for the offence is a $10,000 fine and three years' jail.

elena@sph.com.sg