Tools designed to allow users to upload content to news sites are making web publishers increasingly vulnerable to computer hacking, according to a report.
The trend for uploading users' text, photos and videos has created more opportunity for hackers, who can hide viruses or malicious software in seemingly innocent files, according to the research by security consultancy the NCC Group.
NCC Group's report stated that news sites are complacent and unprepared in their approach to web security and at "serious risk".
The introduction of more enterprise offerings, such as partnerships between content and retail sites, provides further incentives for criminal gangs.
NCC Group also said the success of the chip and pin system for payment cards, introduced in February 2006, has driven criminals towards more computer hacking.
The report added that news sites are doubly vulnerable as a target for both politically motivated hackers, or "hactivists", and financially motivated criminal gangs.
While hactivists may seek to deface a website or alter information, more well-organised criminal gangs will target retail services and computer servers that host web advertising.
In one common method known as an SQL injection, hackers exploit weaknesses in sites through entry points such as a search or login box, to gain access to the server.
They can then instals software that can take screen shots from users' computers, monitor keyboard input or take complete control of the users' terminal.
Hackers could also seek out sensitive news releases on business or financial information issued under embargo.
In February, the US financial regulator, the Securities and Exchange Commission, issued a lawsuit against Blue Bottle, a financial company that allegedly obtained information on 12 firms that it then used to buy and sell shares. Blue Bottle had traded shares including those of software firms Symantec and Real Networks.
An awareness campaign conducted by NCC Group In January demonstrated that half the UK's publicly listed companies were vulnerable to security breaches due to their own staff.
The group posted an anonymous "party invite" on a USB memory stick to 500 UK companies - and an average 47% of recipients plugged the device in to their work computer.
Of the media companies involved, 65% of media agencies, 60% of internet companies and 53% of publishing firms opened the invite.
"Against an average rate of 47%, this suggests complacency in the sector," NCC Group said.
It concluded that the most basic problems with poorly implemented applications and badly patched servers - where temporary coding fixes have been put in place - are "a serious risk".
"This sector is not mature in its approach to security, and these are very probably issues for even the largest newspapers who are potentially vulnerable to attack by every type of hacker in a way that other organisations are not, due to the type of information published, number of visitors and strength of brand name," NCC Group added.
Lloyd Brough, management consultant for NCC Group, said media companies needed to invest in staff with more technical expertise.
"Historically, web security hasn't been seen as important as it is for say the financial sector, because the priority has been the content," he added.
"But these companies need to have investment time-wise, in technical support and security. Most of this is common sense, ensuring that servers are patched up, that new vulnerabilities are dealt with and that new hacking techniques are looked at. And with third-party hosting, it is key to ensure that checks are carried out."
On Friday, an official inquiry was launched into a security breach at TK Maxx after hackers obtained the details of up to 45m credit and debit cards used in stores across the US, Canada, UK and Ireland.
Hackers commonly use a number of web forums and retail sites, including one modelled on eBay, to sell and exchange tips, methods and information. Some users even offer themselves as "hackers for hire".
The most common credit card fraud is when card details are given by phone or online. UK payments association Apacs announced last month that credit card fraud had fallen 3% from 2005 to 2006 to £428m, although fraud using card details acquired via the phone or online accounted for £212.6m of that.
