The official NASA website has some out-of-this-world security flaws

NASA
(Image credit: ahundt / Pixabay)

For months, one of NASA’s websites was vulnerable to an open redirect flaw, allowing threat actors to redirect unsuspecting visitors to malicious third party landing pages. 

This is according to cybersecurity researchers from the Cybernews team, who said there’s no evidence of the flaw being abused in the wild, but that such a scenario is quite probable.

Earlier this week, the Cybernews team reported that its researchers discovered a flaw in NASA’s Astrobiology website. The vulnerability allows threat actors to redirect the visitors elsewhere, and the researchers believe hackers might have created a website seemingly identical to NASA’s.

Validating user input

The fake page may have a login prompt, a download button, or a fake payment gateway, tricking visitors into downloading malware, giving away identity data, or money. 

The least damaging scenario is the one where hackers simply redirect people to a page with ads and monetize the visits and clicks.

The team also said that another security researcher discovered the same flaw independently in mid-January too. Given that NASA failed to address the vulnerability on its premises (despite being notified on time), there’s a high chance that a malicious actor discovered it as well, they say. 

To protect against open redirect flaws, the Cybernews team says website owners need to validate all user input, including URLs, to make sure the input only contains valid values. 

“This can include using regular expressions to verify that URLs are in a proper format, checking that URLs are from trusted domains, and verifying that URLs do not contain any unexpected or malicious characters,” the researchers said.

Another method is URL encoding, which prevents malicious characters from being injected into URLs. That effectively prevents threat actors from exploiting open redirect flaws even if they are present on the website. 

“Website owners can create a whitelist of trusted URLs and only allow redirects to those URLs. This can help to prevent attackers from redirecting users to malicious or unauthorized websites,” the team concluded.

Via: Cybernews

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
European Space Agency hack sees official store hijacked to steal customer details
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Latest in Security
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Code Skull
US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
Latest in News
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock
Man using iMessage on an iPhone
Apple will finally enable encrypted RCS messages between iOS and Android, and it's about time
Jason Sudeikis' Ted Lasso pointing at someone in Ted Lasso season 2
Believe it, baby: Ted Lasso season 4 is officially in development for Apple TV+ and Jason Sudeikis will reprise his role as the titular soccer coach
Quordle on a smartphone held in a hand
Quordle hints and answers for Saturday, March 15 (game #1146)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, March 15 (game #377)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Saturday, March 15 (game #643)