Dozens of U.S. government websites appear to contain a flaw enabling anyone to generate URLs with their domains that redirect users to external sites, a handy tool for criminals hoping to infect users with malware or fool them into surrendering personal information.
Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like “HD Dog Sex Girl” and “Two Hot Russians Love Animal Porn.” Among those affected was the Justice Department’s Amber Alert site, links from which apparently redirected users to erotic material.
Following Gizmodo’s report, a handful of government offices changed their settings to address the problem. The problem persists, unfortunately, and several new websites appear to be affected. While it appears that mostly porn bots are taking advantage of these poorly configured sites, it also poses a serious security concern.
The ability to generate malicious links that appear to lead to actual government websites can be a handy pretense for criminals conducting phishing campaigns. What’s more, these malicious redirects may be used to send users to websites masquerading as official government services, encouraging them to hand over personal information, such as names, addresses, and Social Security numbers.
Last week, for example, StateScoop reported that a foreign hacker had set up phony versions of local government sites throughout the U.S. with the aim of stealing information from small and medium-sized businesses. The websites impersonated included those belonging to government officials in San Mateo, California; Tampa, Florida; North Las Vegas, Nevada; and Dallas County, Texas.
A year after Gizmodo’s article, Google has continued to index redirect links from government domains that point users to what appears to be pornography. A redirect from Whistleblowers.gov—a site run by the U.S. Commodity Futures Trading Commission (CFTC)—point users to “Free Extreme brutal porn Videos.” Another link from the Department of Health and Human Service’s Healthfinder.gov website sends users to watch a “Menage A Trois With Russian Teen Babe.”
Theoretically, the same trick being used by bots to generate backlinks to porn—presumably in an attempt to boost their search rankings—could also be used to redirect users to websites hosting malware.
“This isn’t a problem that requires a cybersecurity contractor to discover. It just comes up through some fairly basic Google searches,” says David Maass, an investigative researcher at the Electronic Frontier Foundation. “I was able to turn up several dozen agencies in just about 20 minutes of searching. I don’t think it’s a particularly hard problem to fix.”
“What makes it worse is that even after this issue was reported in a national news outlet, it still didn’t trigger a review,” he added.
It’s not just federal agencies affected. Several redirects from the U.S. Senate’s page point users to such cinematic classics as “Thick White Wife and Black Cock” and “POV 3D Hentai Blowjob.” The official site for the Dwight D. Eisenhower Memorial appears to have, at least at one point, hosted a variety of pornographic material.
State governments, too, are affected. Many links emanating from agencies and offices in Wisconsin, Minnesota, Kentucky, Colorado, Florida, and Georgia point users to not only porn but what appear to be online scams.
Some redirects, such one using the domain of the National Cancer Institute’s Cancer.gov website, point to pages offering discounts on erectile dysfunction medication.
What’s causing this? In all likelihood, the web applications behind these websites aren’t configured to prevent just anyone from generating a redirect link to an external site. But the issue can be remedied quite easily.
Here’s a lengthier explanation of the issue offered by the Open Web Application Security Project (OWASP):
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
Depending on the web application used by the sites, these unvalidated redirects can be switched off completely. But even if not, there are other ways to mitigate the problem. One way is to at least warn users that they’re leaving an official government website. That’s what DOJ was doing before its Amber Alert page was fixed. Users were prompted by a message warning them: “You are now leaving a Department of Justice Web site.”
Gizmodo is currently in the process of contacting as many government agencies as it can affected by this issue.
Got a tip? Email the author: dell@gizmodo.com