cyber security

NHS site malicious redirects are a warning to developers

Warwick Ashford

A coding error on the NHS.uk website that resulted in visitors being directed to malicious and unrelated advertising websites should serve as a warning to developers, say security experts.

The NHS’s Health and Social Care Information Centre (HSCIC) rushed out a fix for the error that affected more than 800 links.

130924_cs0619.jpg

“We can confirm that this problem has arisen due to an internal coding error and that NHS Choices has not been maliciously attacked,” HSCIC said in a statement.

The NHS claims it was during routine checks that it was alerted to the problem, which was reported on social media site Reddit by a user with the handle Muzzers.

“So while attempting to access flu shot information I stumbled upon a page which redirected me to an advertisement. Digging a bit deeper I found hundreds more pages which redirect to either an advertisement or malware-infested page,” wrote Muzzers.

The NHS traced the source of the problem to a typographical error. “A developer accidentally put ‘translate.googleaspis.com’ rather than ‘translate.googleapis.com’ as the source for the JavaScript file," it said.

The error went unnoticed until the incorrectly spelled address was registered by someone in the Czech Republic, and was then used to capitalise on the error, according to the BBC.

The NHS said no patient data was affected, but it planned to undertake a full code review and put steps in place to ensure that such malicious redirects do not happen again.

“The lesson for software developers is to be diligent not just with code, but also in testing all the links on every web application,” said Paco Hope, principal consultant at Cigital.

“Not every typo ends in an innocent 404 error. In this case, a simple typo pointed users to a domain owned by hacker who was ready and waiting,” he said.  

The lesson for software developers is to be diligent not just with code, but also in testing all the links on every web application

Paco Hope, Cigital

According to the latest Web Application Security Trends report by Swiss security firm High-Tech Bridge, basic mistakes continue to undermine improved coding practices in web applications.

Failure to delete installation scripts, for example, enables cyber criminals to compromise an entire application, the report said.

This highlights the importance of independent security testing and auditing of web applications, as even professional developers may miss or forget to control vital security points, according to High-Tech Bridge.

The firm found that in-house applications made up 40% of the most vulnerable apps, followed by plug-ins and modules for content management systems (30%).

The report said Cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities are still the most common weaknesses, making up 55% and 20% of all vulnerabilities found in 2013 respectively.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy