For months, one of NASA’s websites was vulnerable to an open redirect flaw, allowing threat actors to redirect unsuspecting visitors to malicious third party landing pages.
This is according to cybersecurity researchers from the Cybernews team, who said there’s no evidence of the flaw being abused in the wild, but that such a scenario is quite probable.
Earlier this week, the Cybernews team reported that its researchers discovered a flaw in NASA’s Astrobiology website. The vulnerability allows threat actors to redirect the visitors elsewhere, and the researchers believe hackers might have created a website seemingly identical to NASA’s.
Validating user input
The fake page may have a login prompt, a download button, or a fake payment gateway, tricking visitors into downloading malware, giving away identity data, or money.
The least damaging scenario is the one where hackers simply redirect people to a page with ads and monetize the visits and clicks.
The team also said that another security researcher discovered the same flaw independently in mid-January too. Given that NASA failed to address the vulnerability on its premises (despite being notified on time), there’s a high chance that a malicious actor discovered it as well, they say.
To protect against open redirect flaws, the Cybernews team says website owners need to validate all user input, including URLs, to make sure the input only contains valid values.
“This can include using regular expressions to verify that URLs are in a proper format, checking that URLs are from trusted domains, and verifying that URLs do not contain any unexpected or malicious characters,” the researchers said.
Another method is URL encoding, which prevents malicious characters from being injected into URLs. That effectively prevents threat actors from exploiting open redirect flaws even if they are present on the website.
“Website owners can create a whitelist of trusted URLs and only allow redirects to those URLs. This can help to prevent attackers from redirecting users to malicious or unauthorized websites,” the team concluded.