Government Websites Vulnerable to Phishing Scams

     The websites of several federal government agencies, including the National Weather Service (NWS), are unprotected from scammers looking to exploit a security weakness to fool potential victims. The sites in question allow what are known as "unvalidated redirects." An unvalidated redirect is a link to an external website that appears to be sanctioned by the sending website, but in reality can be created by anyone, including scammers and identity thieves. In many cases, the redirects do not even require an additional click; users are taken to the external website automatically after a short pause as an exit message is displayed.
     The website for the National Weather Service, www.weather.gov, has been a favorite target for those seeking to exploit the unvalidated redirect vulnerability. A Google search shows an extensive list of hundreds of websites linked with an automatic redirect. Some are legitimate, such as one on lightning strikes, but more common are those hawking website hosting, insurance, and even herpes cures:

     The links begin with the legitimate address of the National Weather Service, www.weather.gov. Clicking on these links, which can be embedded in other websites or included in an email, first brings up a page alerting users that they are exiting the NWS website and that the link does not constitute an endorsement of the site. However, the page also says, "NWS provides a link to this site because it may contain related information of interest to you." Following is a screenshot of the page that appears for about 10 seconds before, in this case, the user is taken to a video extolling the virtues of a natural cure for herpes:

     This is not the first time the federal government has exposed itself this way. In March 2014, an investigation by THE WEEKLY STANDARD found that the website of the US Senate, along with several others, were susceptible to this vulnerability. Soon after that story was published, the Senate website changed the exit message to include a more explicit warning and also to require an additional click. However, the website script still allows any web address to be entered as a redirect.
     The biometrics.gov website is another favorite platform for those seeking to exploit the unvalidated redirect. This website, pointed out in the 2014 story, is still being utilized more than a year later by dozens of external websites including a Turkish LGBT site, a site for diet pills, a poker blog, a site touting "manly yoga", and even a Bible study.
     Some sites are greater risks than others. For example, a subdomain of the website for the National Institutes of Health (nhlbi.nih.gov) is vulnerable. A malicious programmer could provide users what appears to be a legitimate NIH website address, but use a redirect to a website that could harvest personal and health information from unsuspecting victims. The NIH exit page contains some warnings, but since the page is only visible for 10 seconds before the automatic redirect kicks in, there is too little time to actually read the entire page. Serve.gov is yet another website with a complicated exit page that could misdirect those looking for opportunities for community service to a scammer's site instead.

     Many websites contain links to external sites, but the scripts to handle these links can be configured to prevent this type of manipulation. Due to the presumed authority of government websites, the unvalidated redirect vulnerability is particularly pernicious. The Open Web Application Security Project, a non-profit group that seeks to improve software security, lists the unvalidated redirect in its top ten list of security vulnerabilities, noting that "[w]ithout proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages."

Note: A version of this post first appeared at The Weekly Standard.