Mr Bean invades EU Site (opens in new tab)

ha ha!!! brilliant. ? but you can't instigate a x-domain attack externally - so the 'hacker' would either had direct internal access to the site, or the ability to remotely change a 3rd party library already embedded in the site, no?