The website for the National Weather Service, www.weather.gov, has been a favorite target for those seeking to exploit the unvalidated redirect vulnerability. A Google search shows an extensive list of hundreds of websites linked with an automatic redirect. Some are legitimate, such as one on lightning strikes, but more common are those hawking website hosting, insurance, and even herpes cures:
The links begin with the legitimate address of the National Weather Service, www.weather.gov. Clicking on these links, which can be embedded in other websites or included in an email, first brings up a page alerting users that they are exiting the NWS website and that the link does not constitute an endorsement of the site. However, the page also says, "NWS provides a link to this site because it may contain related information of interest to you." Following is a screenshot of the page that appears for about 10 seconds before, in this case, the user is taken to a video extolling the virtues of a natural cure for herpes:
The biometrics.gov website is another favorite platform for those seeking to exploit the unvalidated redirect. This website, pointed out in the 2014 story, is still being utilized more than a year later by dozens of external websites including a Turkish LGBT site, a site for diet pills, a poker blog, a site touting "manly yoga", and even a Bible study.
Some sites are greater risks than others. For example, a subdomain of the website for the National Institutes of Health (nhlbi.nih.gov) is vulnerable. A malicious programmer could provide users what appears to be a legitimate NIH website address, but use a redirect to a website that could harvest personal and health information from unsuspecting victims. The NIH exit page contains some warnings, but since the page is only visible for 10 seconds before the automatic redirect kicks in, there is too little time to actually read the entire page. Serve.gov is yet another website with a complicated exit page that could misdirect those looking for opportunities for community service to a scammer's site instead.
Many websites contain links to external sites, but the scripts to handle these links can be configured to prevent this type of manipulation. Due to the presumed authority of government websites, the unvalidated redirect vulnerability is particularly pernicious. The Open Web Application Security Project, a non-profit group that seeks to improve software security, lists the unvalidated redirect in its top ten list of security vulnerabilities, noting that "[w]ithout proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages."
Note: A version of this post first appeared at The Weekly Standard.