Open redirect on government website sends users to adult content

Fake websites and open redirects have conspired to make things awkward for a UKGOV website. The site in question, riverconditions(dot)environment-agency(dot)gov(dot)uk, was being abused in search engine results to redirect to various sites which aren’t associated with UKGOV—most of which were adult sites. Worse, it took a little bit of time to have the site taken down so the appropriate fixes could be made.

How did the scammers achieve this slice of open redirection activity? Let’s take a look.

What is an open redirect?

An open redirect can be a way for a website to send you to somewhere you weren’t expecting. It works for all manner of scam attempts, and can be particularly convincing in cases of phishing. This was the case back in August 2021 when Microsoft issued warnings about such a campaign.

Open redirects can also be involved in everything from token theft to dropping you onto a malware page. It’s a very versatile tool in the hands of a skilled attacker. Someone who is unfamiliar with the redirect process could well end up accusing your site of performing the malware install or phishing theft directly. In reality, your site was dragged along for the ride as a result of not sanitising or validating what’s taking place where open redirects are concerned.

A list of suggestions and recommendations for preventing unwanted redirects can be seen on the ever popular OWASP cheat sheet for this topic.

What sites were the final destination for the redirects?

The primary aim for these redirects was to send visitors to pornography sites. Some of them made use of OnlyFans branding to presumably add a sense of legitimacy to the fake portals. Eventually, those sites would send visitors even further to dating sites with some sort of cheating or scandal theme.

Elsewhere, others found various assorted redirects with additional folks claiming to have seen yet more cam site redirects on “environment agency” portals. It sounds like someone over at UKGOV is going to be spending a bit of overtime on this one.

A difficult fix

In theory this should have been fairly easy to report, and have fixed. Unfortunately several issues conspired to make it all sound a bit tricky. As Bleeping Computer notes, this particular UKGOV site is not part of the HackerOne bug bounty platform. As a result it took 24 hours to notify the right people at the Department for Environment, Food, and Rural Affairs (DEFRA) and an additional 48 hours for the site to be pulled. At time of writing, the site is still offline and has been since at least Monday.

As mentioned by the researchers who found this issue, Government websites should produce security.txt documentation to allow for speedy reporting but this wasn’t the case here. In fact, they mention that someone had already reported this to UKGOV last November but received no response. Government sites are popular targets for open redirect activities, so we can only hope the site and server admins do a better job of preemptively blocking these openings for attackers and make it easier to report these issues in the first place.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

https://blog.malwarebytes.com/feed/