A Year Later, US Government Websites Are Still Redirecting To Hardcore Porn

An anonymous reader quotes a report from Gizmodo: Dozens of U.S. government websites appear to contain a flaw enabling anyone to generate URLs with their domains that redirect users to external sites, a handy tool for criminals hoping to infect users with malware or fool them into surrendering personal information. Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material.

Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material. The ability to generate malicious links that appear to lead to actual government websites can be a handy pretense for criminals conducting phishing campaigns. What's more, these malicious redirects may be used to send users to websites masquerading as official government services, encouraging them to hand over personal information, such as names, addresses, and Social Security numbers.

Happened to me

[110010001000]

I was trying to file my taxes and ended up looking at a porn site. Damn Trump!

Re:

[110010001000]

$50,000 a year in IT in San Jose. I'm doing pretty well.

Re:

[110010001000]

I get a Christmas bonus too.

Re:

[whoever57]

$50,000 a year in IT in San Jose. I'm doing pretty well.

Where "doing pretty well" means "living in parents' basement. Or perhaps mooching off a significant other. $50k pre-taxes just about pays apartment rent in San Jose.

Re:

[Bigjeff5]

Hey now, I just found 7 studio apartments for under $1500 a month!

Re:Happened to me [orange guy mention]

[Tablizer]

#MPGA!

Re:

[rmdingler]

"See, honey, I told you! I was clearly tricked into that malevolent link. I have no idea what truffle butter is, or why the browser history logged me there for three hours." #metoo

Re:

[110010001000]

I'm afraid to look up what "truffle butter" is now...I thought it was just something rich people put on their food.

Re:

[AndyKron]

You just connected to the White House's website. It's normal that you might be confused.

Re:

[Can'tNot]

Trump surrounds himself with only the best and most serious people. Top of the line professionals, not publicity seekers. If they can't keep a website from redirecting to porn, then clearly it just can't be done.

Re:

[PPH]

The IRS web site will cost you far more than $5.99 per minute.

Re: Trump's twitter feed isn't much better....

[Anonymous Coward]

Serious question. Does everyone on this site sit around obsessed with politics all day every day? Do you know there's a whole world out there? It's really great. I hiked around Dillon Colorado today. It was wonderful and I didn't think about Washington until I read this "technology" site.

Is it that surprising

[Snotnose]

You're a 20 year bureaucrat in $agency. If you spend your time making sure all rules are being followed you'll at least keep your job, at best get promoted. But if you waste time ensuring your agency's website doesn't go to porn at best you get nothing, worst case random $Congresscritter finds a rule that isn't being followed, and you get canned with no pension.

Incentives matter.

Re:

[Snotnose]

At least I stick my name on my posts......

To be clear..

[fafalone]

This is about doing something like changing redirect.php?url=original.com to pornsite.com, on a URL from a 3rd party site, not actually changing page content. So not really a "security flaw" as much as a 'mitigating stupidity oversight'.

Re:

[Anonymous Coward]

This is about doing something like changing redirect.php?url=original.com to pornsite.com, on a URL from a 3rd party site, not actually changing page content. So not really a "security flaw" as much as a 'mitigating stupidity oversight'.

That's because you lack imagination. Suppose you get an email claiming to be from the Social Security Administration. They tell you that you need to register your social security number or something so that you'll qualify for benefits. They even send you a link to a page ssa.gov/redirect.php?=url=ssa.com and people start giving away PII to some malicious spammer? How do you know that the SSA didn't switch from .gov to .com? After all, the US Postal Service switched from a .gov to a .com.

Re:

[fafalone]

That's precisely the distinction I was drawing. An action taken to protect people who don't understand they're at the wrong site is stupidity mitigation, not a security flaw. I'm not saying it shouldn't be done, but it's a different class of problem, just like that email isn't/doesn't have a security flaw just because someone got tricked by it. A measure to help people not get tricked is a good thing, but its absence isn't equivalent to a security flaw in the sense most people understand the term.

Re:

[fafalone]

And yes I'm being a bit pedantic but the article was really playing up the idea this was some big hole hackers exploited, not just a failure to further proactively protect people who were never taught internet safety.

Re:

[Bigjeff5]

I think it's fair to say this isn't a security flaw in their system, however I don't think it's fair to imply all of the blame lies with the users.

This is basically like leaving department letterhead in a stack in front of the government office building. You can't get into the building, or access secret documents with this letterhead, so it's not technically a security flaw. However, you do bear some responsibility when someone takes that letterhead and issues fake memos from your department, scamming peopl

Re:

[Ed Tice]

It's a security defect called an "open redirect." Redirecting people to porn is a hamless prank. Other posters have always pointed out that is considered a security defect. It's true that in most cases, when you have an open redirect, you become an unwilling participant in attacking somebody else. But occasionally you can be victimized yourself in some creative exploits. IN any event, it something that ought to be fixed.

Re:

[fafalone]

There should be a distinction between a measure to protect people from themselves if someone is using something the way it was intended to function just in a way that's deceitful, and an unintentional bug that allows someone to do something they shouldn't have been able to do.

Re: In case you missed it the first two times:

[Anonymous Coward]

Hi, this is amber alert!

Hi, can you please help!

Of course! We've got redheads, brunettes, and blondes! $9.99 for the first minute, $5.99 thereafter!

No, seriously, can you please help? My friend is missing. I dont know where she is and I don't have any way to call her house.

Of course! Do you like them swanky, slinky, spanky, or stinky?

Oh my god (hangs up)

Not a difference maker

[Tablizer]

Either way, dealing with the US gov't you get screwed.

Ok, I resent that

[rsilvergun]

it's funny and all, but the US gov't paid for the medicine to save my kid's life and for my type-I diabetic friend's insulin. I know you're just joking around, but it's part of a perverse narrative that the gov't can't do anything right and it's getting used to turn folk off from the good gov't does and in turn cut life saving programs.

And yeah, after having multiple people in my life saved by gov't supplied healthcare I've kinda got a stick up my ass about it.

Re:

[Anonymous Coward]

Some states do actually have government health programs through Medicare. Technically, all states receive funds that are supposed to go to a state's Medicare program. Some of them actually use this money to set up a healthcare system covering significant fractions of the poor. Other states, like Texas, don't do much of anything useful with it, and essentially pocket the money as budget surplus, where it undoubtedly goes to more worthy causes and tax breaks, which purely by chance, are always for different p

Re:

[sound+vision]

This year after I got Intuit'd for the first time trying to do taxes, I'm basically getting passed around, taking it from both ends. If the IRS set up a useful filing website, I'd only have to tend to 1 dick. To me, that's preferable, until we invent the dickless world. Where I only receive head, and never have to give. Just like nature intended - a long life of 22 years, with no taxes... thank God our country is finally on the right track, with a stern Christian leader.

Question is - was it worse than what it replaced?

[SuperKendall]

There's probably a lot of government sites where the overall utility to citizens would be increased by providing hardcore porn. Maybe that's why they left some up.

Re:

[Farmer Tim]

It’s true, he’s really a collage grad. Majored in decoupage.

Anyone remember whitehouse.com?

[ayesnymous]

That was 20 years ago.

ludo

[ludochatgame]

it's funny and all, but the US gov't paid for the medicine to save my kid's life and for my type-I diabetic friend's insulin. I know you're just joking around, but it's part of a perverse narrative that the gov't can't do anything right and it's getting used to turning folk off from the good gov't board game [google.com] does and in turn cut life-saving programs.

Oblig

[Opportunist]

Pics or didn't happen!

lol

[sootman]

From the summary:

Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material.

Gizmodo first reported a year ago that a wide variety of U.S. government sites were misconfigured, allowing porn bots to create links that redirected visitors to sites with colorful names like "HD Dog Sex Girl" and "Two Hot Russians Love Animal Porn." Among those affected was the Justice Department's Amber Alert site, links from which apparently redirected users to erotic material.

In a distressing world full of constant change and upheaval, the quality of Slashdot's editorial team is a soothing constant. I was worried when Taco sold out, but it looks like my fears were unfounded.