A website run by the US Justice Department and used to gather information about missing and abducted children is redirecting visitors to porn sites with names such as “schoolgirl porn” and “ungrateful huge boobs Indian wife being a slut,” Gizmodo has discovered.
A redirect bug on the AmberAlert.gov allows anyone to create backlinks on the DOJ-run site—functionality apparently too good to pass up for some porn bots. The Amber Alert site is being manipulated by at least a half dozen porn sites (and an untold number of others) likely in a sad attempt to boost their Google rankings.
Amber Alert, for those without a cellphone or a radio, is the emergency broadcast system used by law enforcement in 50 states to raise the alarm when there’s reasonable belief a child has been abducted.
At time of writing, it’s possible to alter the .gov website’s URL and generate an unvalidated redirect page bearing DOJ and Amber Alert logos which can be used to send visitors anywhere on the web.
Porn bots are known to crawl the web in search for this specific type of redirect flaw. By generating backlinks across the internet, a porn site can theoretically improve its PageRank score, the system used by Google to determine how high a web page should go in search results.
“This is like the 1990s called and wants its vulnerable redirect script back,” said Adriel Desautels, founder of the penetration testing firm Netragard.
While this barely counts as a security vulnerability, as it doesn’t actually endanger the DOJ’s network in any way, it could be used by a crafty social engineer to trick users into downloading malware or send them to a fake webpage as part of a phishing campaign.
For some credulous users, the fact that they’re being redirected from a government website may lend an air of legitimacy to an otherwise suspicious hyperlink.
The user-generated redirect pages still bear a disclaimer warning users they are leaving the DOJ’s network. However, if a visitor remains on the redirect page for more than a few seconds, it automatically redirects the user to the offending site. This adds an extra layer of absurdity to a comical flaw on the website of a government agency that spends much of its time trying to convince tech companies to purposefully weaken encryption standards, and thus imperil US consumers.
“Anyone can use this page to redirect someone to another potentially malicious site,” Desautels warns. “For example, this could be used to redirect an unsuspecting victim to a site that deploys malware. It doesn’t really put the DOJ at risk, but it puts people on the internet at risk and oddly seems to be helping the porn industry.”
Gizmodo reported the issue to DOJ on Tuesday afternoon and is awaiting a response.
Update, 6:20pm: As it turns out, there appear to be a lot of US government websites running faulty redirect scripts. Weather.gov and the National Oceanic and Atmospheric Administration, for instance, are pointing to what appear to be a number of bestiality pages.
Update, 4/18: The redirect issue impacting the Amber Alert site was repaired sometime early this morning or late yesterday evening. DOJ has yet to respond. Additionally, a source informed Gizmodo of efforts underway to address any similar issues affecting other government domains.