Royal Mail website put users at risk due to major security fail

Close up of a Royal Mail van
(Image credit: Shutterstock)

One of the websites belonging to Royal Mail, the British postal service and courier company, featured a major vulnerability that could have been used to steal sensitive user data or drop malware onto victim endpoints

A report from Cybernews,uncovered the flaw and “repeatedly informed” Royal Mail about it. 

The site has been offline for months now, the publication states, suggesting that the company has either addressed the issue or is currently working on it.

Dropping malware and stealing data

The flaw in question is called an open redirect vulnerability, a relatively common flaw among web apps that require user-generated input (like a URL, for example) to redirect them to a different page. The vulnerability stems from failing to properly verify or cleanse the input, leaving room for malicious activity. 

“The vulnerability can be exploited by attackers to trick users into visiting malicious websites or phishing pages by disguising the malicious URL as a legitimate one,” Cybernews researchers explained.

In other words, victims could be redirected to a malicious landing page that tricks them into giving away sensitive information (personally identifiable data, payment information, or similar), or to a page where they could be enticed into downloading malware (thinking they’re downloading legitimate software). Best-case scenario - they’re redirected to a page full of ads and spam content.

Companies that have similar problems should make sure their websites validate all user input, Cybernews added, stating that websites can use URL encoding to prevent anyone from tampering with the URLs. Furthermore, website owners can create a whitelist of trusted URLs and only allow redirects to those URLs for even more customization.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.