Open redirects persist on government sites

Open redirects persist on government sites

Spammers are taking advantage of misconfigured dot-gov domains and link shorteners to redirect visitors to other sites.

When sites use open redirects – web apps that allow a user to specify a link and then send a user on to an external site -- a spammer can insert any URL and send the user to a malicious site, simplifying phishing attacks.

According to a recent Krebs on Security blog, some government sites are using open redirects. South Dakota’s site, Krebs said, uses this open redirect -- http://dss.sd.gov/scripts/programredirect.asp?url= -- which allows spammers to send the visitor from the government site on to any other webpage.

If these open redirect URLs originating from .gov or .mil sites then get truncated by the link shortening service bit.ly, the service the government uses to automatically create a usa.gov URL, it can further hide the redirection. That means a government site with open redirect could be shortened to look something like this http://1.usa.gov/12345.

Krebs said the open redirect vulnerability is widely acknowledged and that Symantec reported that about 15 percent of all 1.usa.gov URLs during a week in October 2012 were used to promote spam messages.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

inside gcn

  • digital model of city (Shutterstock.com)

    Why you need a digital twin

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group