Blog: Vulnerability Disclosure
UK gov website being used to redirect to porn sites
TL;DR
UK Government Environment Agency web site had an open redirect that was actively being used to redirect to various porn sites, including OnlyFans clone sites. Disclosure should have been easy but wasn’t, as the agency haven’t followed wider UK government policy on vulnerability disclosure.
What we found
We noticed an open redirect on the UK’s Environment Agency web site. It popped up during a Google search whilst we were looking for SoC (hardware System on Chip) datasheets.
We believe that the issue had been discovered some time earlier and had been shared on phishing forums.
This was the open redirect:
http://riverconditions.environment-agency.gov.uk/relatedlink.html?class=link&link=https://pentestpartners.com
The site has now been taken down, though that link would have taken you to our web site instead of the Environment Agency. Using trusted government sites with redirects adds significant credibility to a phishing campaign.
One example:
All of these lead to OnlyFans clone sites:
As can be seen when we follow the links. Impressivedate.com is an OnlyFans clone. You’ll need to trust me on that, unless you want to visit it yourself!
Disclosure
As always, we went to disclose privately to the agency. UK gov web sites should publish security.txt files and disclosure should be through HackerOne https://www.gov.uk/help/report-vulnerability.
Except the agency didn’t follow this policy, so disclosure through HackerOne wasn’t possible.
We were now stuck, as we didn’t know anyone at the Environment Agency.
It took another 24 hours to find a route to start disclosure. The UK’s Cabinet Office were super-helpful with this.
Receipt was acknowledged and action was to be taken urgently.
Someone else had found the same issue about 48 hours after us, also through unusual results in a Google search.
Overnight, the web site was taken down and the DNS records removed.
Incidentally, the server was running Windows 2003 and may have exposed RDP. See shodan https://www.shodan.io/host/81.27.105.34.
Moral of the story?
Don’t run government sites on old web servers.
Check for open redirects.
Make vulnerability disclosure easy.
Update: 10th January 2023
Since we wrote this, we’ve been contacted by someone who found and reported the issue direct to the EA in November last year, but didn’t receive any response.