For months, one of NASA’s websites was vulnerable to an open redirect flaw, allowing threat actors to redirect unsuspecting visitors to malicious third party landing pages.
This is according to cybersecurity researchers from the Cybernews team, who said there’s no evidence of the flaw being abused in the wild, but that such a scenario is quite probable.
Earlier this week, the Cybernews team reported that its researchers discovered a flaw in NASA’s Astrobiology website. The vulnerability allows threat actors to redirect the visitors elsewhere, and the researchers believe hackers might have created a website seemingly identical to NASA’s.
Validating user input
The fake page may have a login prompt, a download button, or a fake payment gateway, tricking visitors into downloading malware, giving away identity data, or money.
The least damaging scenario is the one where hackers simply redirect people to a page with ads and monetize the visits and clicks.
The team also said that another security researcher discovered the same flaw independently in mid-January too. Given that NASA failed to address the vulnerability on its premises (despite being notified on time), there’s a high chance that a malicious actor discovered it as well, they say.
To protect against open redirect flaws, the Cybernews team says website owners need to validate all user input, including URLs, to make sure the input only contains valid values.
“This can include using regular expressions to verify that URLs are in a proper format, checking that URLs are from trusted domains, and verifying that URLs do not contain any unexpected or malicious characters,” the researchers said.
Another method is URL encoding, which prevents malicious characters from being injected into URLs. That effectively prevents threat actors from exploiting open redirect flaws even if they are present on the website.
“Website owners can create a whitelist of trusted URLs and only allow redirects to those URLs. This can help to prevent attackers from redirecting users to malicious or unauthorized websites,” the team concluded.
Via: Cybernews
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba