Open redirects persist on government sites

Open redirects persist on government sites

Spammers are taking advantage of misconfigured dot-gov domains and link shorteners to redirect visitors to other sites.

When sites use open redirects – web apps that allow a user to specify a link and then send a user on to an external site -- a spammer can insert any URL and send the user to a malicious site, simplifying phishing attacks.

According to a recent Krebs on Security blog, some government sites are using open redirects. South Dakota’s site, Krebs said, uses this open redirect -- http://dss.sd.gov/scripts/programredirect.asp?url= -- which allows spammers to send the visitor from the government site on to any other webpage.

If these open redirect URLs originating from .gov or .mil sites then get truncated by the link shortening service bit.ly, the service the government uses to automatically create a usa.gov URL, it can further hide the redirection. That means a government site with open redirect could be shortened to look something like this http://1.usa.gov/12345.

Krebs said the open redirect vulnerability is widely acknowledged and that Symantec reported that about 15 percent of all 1.usa.gov URLs during a week in October 2012 were used to promote spam messages.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • 2020 Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected