A flaw in NASA’s website dedicated to astrobiology could have tricked users into visiting malicious websites by disguising a dangerous URL with NASA’s name.
Space travel is undoubtedly dangerous. And, apparently, so is visiting NASA’s legitimate websites. The Cybernews research team independently discovered an open redirect vulnerability plaguing NASA’s Astrobiology website.
After finding the flaw, we discovered that an open bug bounty program researcher had already discovered it a couple of months earlier, on January 14th, 2023, but it was not addressed and fixed by the agency.
However, this means that one of the world’s leading space research facilities exposed global users to risk for at least a few months until May 2023. Attackers could have used the flaw to redirect anyone to malicious websites, prompting users to part with their login credentials, credit card numbers, or other sensitive data.
NASA’s spokesperson told Cybernews that the organization always prioritizes the security of its public websites and continuously scans for vulnerabilities. Additionally, NASA said it invites the public and security researchers “to report any potential problems or misuses of our websites in good faith, through our Vulnerability Disclosure Program.”
“NASA takes prompt action to validate and resolve all third party reports, such as these, identifying and mitigating them appropriately,” NASA’s spokesperson said.
What is an open redirect vulnerability?
The open redirect flaw resembles a cheating taxi driver. Suppose you hail a cab and tell the driver where you want to go. Instead of validating the destination, they take you to an unsavory neighborhood instead.
Similarly, users trying to access astrobiology.nasa.gov could easily have ended up on a malicious website. Normally, web applications validate or sanitize user-provided input, such as a URL or a parameter, to prevent malicious redirects from happening.
“The vulnerability can be exploited by attackers to trick users into visiting malicious websites or phishing pages by disguising the malicious URL as a legitimate one,” Cybernews researchers explained.
Why is an open redirect flaw dangerous?
An attacker could modify NASA’s website with additional parameters and direct users to a place of their choosing. The malicious redirect might even resemble NASA’s page, only spruced up with a prompt asking to enter credit card data.
Additionally, threat actors could leverage open redirect bugs to lead users onto websites that download malware to their computers or mobile devices immediately upon landing.
Another way to exploit the flaw is to manipulate search engine rankings by redirecting users to websites exhibiting low-quality content or spam.
While we don’t have confirmation that anyone actually exploited the bug that was plaguing NASA’s website, our team, as well as the open bug bounty program researcher, discovered the flaw independently of each other.
Since the open redirect flaw was present for several months, there might have been others with possibly less altruistic intentions who stumbled upon the same discovery.
How to mitigate open redirect vulnerabilities?
Open redirect flaws are vital since they allow malicious actors to carry out phishing attacks, steal credentials, and spread malware.
To avoid such mishaps, the team strongly advises website owners to validate all user input, including URLs, to ensure the input only contains valid values.
“This can include using regular expressions to verify that URLs are in a proper format, checking that URLs are from trusted domains, and verifying that URLs do not contain any unexpected or malicious characters,” researchers explained.
To prevent malicious characters from being injected into URLs, website admins can also use URL encoding. By doing so, they would prevent threat actors from being able to exploit open redirect flaws even if one would come up.
“Website owners can create a whitelist of trusted URLs and only allow redirects to those URLs. This can help to prevent attackers from redirecting users to malicious or unauthorized websites,” the team said.
Updated [June 6, 02:05 PM GMT] with a statement from NASA.
Your email address will not be published. Required fields are markedmarked