Space travel is undoubtedly dangerous. And, apparently, so is visiting NASA ’s legitimate websites. The Cybernews research team independently discovered an open redirect vulnerability plaguing NASA’s Astrobiology website.
After finding the flaw, we discovered that an open bug bounty program researcher had already discovered it a couple of months earlier, on January 14th, 2023, but it was not addressed and fixed by the agency.
However, this means that one of the world’s leading space research facilities exposed global users to risk for at least a few months until May 2023. Attackers could have used the flaw to redirect anyone to malicious websites, prompting users to part with their login credentials, credit card numbers, or other sensitive data.
We’ve reached out to NASA on several occasions since early April but have yet to receive any reply before publishing this article.
What is an open redirect vulnerability?
The open redirect flaw resembles a cheating taxi driver. Suppose you hail a cab and tell the driver where you want to go. Instead of validating the destination, they take you to an unsavory neighborhood instead.
Similarly, users trying to access astrobiology.nasa.gov could easily have ended up on a malicious website. Normally, web applications validate or sanitize user-provided input, such as a URL or a parameter, to prevent malicious redirects from happening.
“The vulnerability can be exploited by attackers to trick users into visiting malicious websites or phishing pages by disguising the malicious URL as a legitimate one,” Cybernews researchers explained.
Why is an open redirect flaw dangerous?
An attacker could modify NASA ’s website with additional parameters and direct users to a place of their choosing. The malicious redirect might even resemble NASA’s page, only spruced up with a prompt asking to enter credit card data.
Additionally, threat actors could leverage open redirect bugs to lead users onto websites that download malware to their computers or mobile devices immediately upon landing.
Another way to exploit the flaw is to manipulate search engine rankings by redirecting users to websites exhibiting low-quality content or spam.
While we don’t have confirmation that anyone actually exploited the bug that was plaguing NASA’s website, our team, as well as the open bug bounty program researcher, discovered the flaw independently of each other.
Since the open redirect flaw was present for several months, there might have been others with possibly less altruistic intentions who stumbled upon the same discovery.
Do you want to know how to mitigate open redirect vulnerabilities? Give a look at the original post at:
https://cybernews.com/security/nasa-astrobiology-website-flaw/
About the author: Vilius Petkauskas, Senior Journalist at CyberNews
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NASA)