Dozens of U.S. government internet site appear to contain a fault enabling anyone to render uniform resource locator with their domains that airt users to external land site , a handy putz for malefactor hoping to infect users with malware or fool them into surrendering personal information .
Gizmodofirst reporteda twelvemonth ago that a wide variety of U.S. government sites were misconfigured , allow for porn bots to create link that redirect visitors to sites with colorful names like “ HD Dog Sex Girl ” and “ Two Hot Russians Love Animal Porn . ” Among those affected was the Justice Department ’s Amber Alert site , tie-in from which apparently airt substance abuser to erotic material .
The power to generate malicious links that seem to lead to actual administration websites can be a handy feigning for felon conducting phishing campaigns . What ’s more , these malicious redirects may be used to send exploiter to websites masquerade as prescribed administration services , promote them to pass on over personal information , such as name , destination , and Social Security numbers .
The Capitol Dome is seen from the Russell Senate Office Building in Washington, D.C.Photo: J. Scott Applewhite / AP
Last workweek , for exemplar , StateScoopreportedthat a foreign hack had set up phoney versions of local administration internet site throughout the U.S. with the aim of stealing information from small and intermediate - sized job . The websites impersonated include those belong to administration official in San Mateo , California ; Tampa , Florida ; North Las Vegas , Nevada ; and Dallas County , Texas .
A class after Gizmodo ’s clause , Google has continue to index airt link from government domains that direct user to what seem to be erotica . A redirect from Whistleblowers.gov — a site run by the U.S. Commodity Futures Trading Commission ( CFTC)—point users to “ Free Extreme brutish pornography Videos . ” Another link from the Department of Health and Human Service ’s Healthfinder.gov website beam users to follow a “ Menage A Trois With Russian Teen Babe . ”
Theoretically , the same legerdemain being used by bots to bring forth backlinks to porn — presumably in an attempt to hike up their hunt ranking — could also be used to airt users to web site host malware .
Dave Maass” class=”size-full wp-image-2000078500″ /> Screenshot:Dave Maass
“ This is n’t a problem that requires a cybersecurity declarer to discover . It just come up through some fairly basic Google search , ” says David Maass , an investigative researcher at the Electronic Frontier Foundation . “ I was able to plough up several XII bureau in just about 20 minutes of explore . I do n’t think it ’s a in particular voiceless job to sterilise . ”
“ What makes it worse is that even after this take was reported in a home news exit , it still did n’t activate a review , ” he added .
It ’s not just federal agencies affected . Several redirects from the U.S. Senate ’s page point users to such cinematic classic as “ Thick White Wife and Black Cock ” and “ POV 3D Hentai Blowjob . ” The prescribed site for the Dwight D. Eisenhower Memorial appears to have , at least at one item , hosted a form of pornographic material .
Dave Maass” class=”size-full wp-image-2000078519″ /> Screenshot:Dave Maass
country governments , too , are affect . Many links emanating from agencies and offices in Wisconsin , Minnesota , Kentucky , Colorado , Florida , and Georgia target user to not only porno but what seem to be online cozenage .
Some redirects , such one using the domain of the National Cancer Institute ’s Cancer.gov website , point to pages proffer discount on cavernous dysfunction medicine .
What ’s causing this ? In all likelihood , the web applications behind these website are n’t configured to prevent just anyone from return a redirect inter-group communication to an outside situation . But the way out can be remedied quite well .
Here ’s a lengthier explanation of the issue offer by theOpen Web program Security Project(OWASP ):
Unvalidated redirects and forwards are potential when a vane program live with untrusted stimulus that could cause the web coating to airt the petition to a URL hold within untrusted input . By change untrusted URL comment to a malicious land site , an aggressor may successfully launch a phishing cozenage and slip user credentials .
Because the server name in the modified link is identical to the original site , phishing attempts may have a more trusty visual aspect . Unvalidated redirect and advancing attacks can also be used to maliciously craft a URL that would pass the program ’s access code control check and then forwards the attacker to privileged functions that they would normally not be able to access .
Depending on the WWW software program used by the sites , these unvalidated redirects can be switched off completely . But even if not , there are other means to mitigate the job . One way is to at least admonish users that they ’re leaving an prescribed government website . That ’s what DOJ was doing before its Amber Alert page was fix . substance abuser were propel by a message warn them : “ You are now leaving a Department of Justice Web land site . ”
Gizmodo is presently in the cognitive operation of contacting as many government agency as it can affected by this military issue .
Got a steer ? Email the author:[email protected ]
GovernmentSecurity
Daily Newsletter
Get the best tech , scientific discipline , and culture news in your inbox daily .
News from the future , delivered to your present .
You May Also Like
