UPDATE: The exit message on the Senate website has changed since this post ran at The Weekly Standard. It's not perfect because it just lumps potential scamming sites in with the ones that Senators actually want to link to, but it is still an improvement.
--------------------
Less than a month
after the exposure of a widespread vulnerability on government "open data" websites, another perhaps even more insidious opening for abuse of government websites has come to light. The problem is known as an "unvalidated redirect," and has been found on the websites of the Environmental Protection Agency, the Treasury Department, and even the Senate, among others. The vulnerability is not a new one and could extend back months if not years, and is not an uncommon problem on commercial websites either.
A "redirect" is a web address that automatically opens a webpage or, in many cases, even a completely different website that the original address, or URL, indicated. Generally when a government website directs a user to an external site, a warning or disclaimer appears alerting the user. For instance, the Centers for Medicare and Medicaid Services website places a small "world" icon next to external links, and the site has a
page explaining the disclaimer:
Other government sites follow a different protocol where a special disclaimer page is displayed for several seconds after the external link is clicked before the users is automatically taken to the new page or site. While this protocol is not a problem in and of itself, if the website code does not restrict the ability to redirect only to sites approved by host sites, any web address can be substituted. This can allow unscrupulous website operators to provide a link in a website or an email that begins with a legitimate government address, such as senate.gov or epa.gov, but then quickly and automatically transport users to any website they choose.
The website for the Senate is an especially serious example of this vulnerability because of the complete lack of a disclaimer on the "exit" page before the redirect takes place. Senators
often will direct website users to pertinent news articles, stories concerning constituent issues, or government services on other federal websites. However, the following screen is all that users see before they are bounced to the new page or site:
Since the script for the exit page is not restricted, anyone can establish a link by entering a [web address] after this prefix: http://www.senate.gov/cgi-bin/exitmsg?url=[web address] For example, this link directs users to Google.com after bouncing off of Senate.gov: <
http://www.senate.gov/cgi-bin/exitmsg?url=http://www.google.com> But replacing "www.google.com" with any website works just the same way to direct users to that site. This opening could easily be exploited by inserting this type of link in a phishing email or a website and inviting users to simply click on what appears to be a Senate website address but in reality is a redirect to a phishing site. At that point, personal information could be solicited with the apparent endorsement of the Senate.
A bold scammer could even explicitly tell users, for example, that "you will see a message that you are exiting the Senate web server system and being transferred to our secure data collection site." Without a restriction on redirect links or even a disclaimer, there is nothing to warn an unsuspecting user that the Senate is in no way connected with the linked site.
The Senate's site is not the only government website vulnerable to this kind of exploitation. A subdomain of the Treasury Department's website, publicdebt.treas.gov, has a similar problem. While there is a more complete exit page provided, with a disclaimer ("You're going to a website that is not managed or controlled by the Bureau of the Public Debt. Its privacy policies may differ from ours."), the user is still bounced to the new site (again, using
google.com as an example) with the apparent blessing of the Treasury:
A Google search suggests that this vulnerability does not exist simply in theory, but has been used either innocuously or maliciously already. Here is a screenshot of a
Google search as it existed on March 9:
Clicking on each of these links automatically transfers users, after eight seconds of the exit page, to a website not connected to or endorsed by the Bureau of the Public Debt of the Treasury Department, yet without a clear warning to indicate such.
Other vulnerable websites include
biometrics.gov,
fmcsa.dot.gov, and
epa.gov. Unvalidated redirects linked from these government websites include sites for pornography, weight-loss site, and even a Bible study. Despite the obvious opening provided for phishing, no actual examples of linked phishing sites were found during the investigation for this story, although phishing attempts are often made via unsolicited mass emails. In any case, David Kennedy of the information security company
TrustedSec,asked to comment for this story, said that these unvalidated redirects are "definitely an exposure."
The House of Representatives is a good example of a government site that not only has a stronger disclaimer on its exit page, but disallows users from substituting a different web address in its exit URL. For instance, Rep. Paul Ryan
recently linked to a John McCormack piece at THE WEEKLY STANDARD. The exit page informs users that they are leaving the House website, and users must manually click on the link before being redirected instead of the redirect happening automatically. Additionally, users are told that "Neither the House office whose site contains the above link, nor the U.S. House of Representatives is responsible for the content of the non-House site you are about to access." Furthermore, an attempt to change the redirect address to a
different site or page is met with a "File Not Found" error.
The unvalidated redirect exposure is an unsophisticated yet effective tool for scammers. No hacking is required as the referring websites do not actually host any unauthorized pages, but the simplicity actually works to the advantage of potential scammers or those simply seeking to direct additional traffic to their websites. On the upside, the simplicity also means a relatively simple fix at the affected websites. But until more government websites follow the example of the House or the Centers for Medicare and Medicaid Services, the unvalidated redirect will remain a prime opportunity for marketers or scammers looking to trade on the authority and sense of security conferred by a connection to the federal government.
Note: A version of this post first appeared at The Weekly Standard.