NHS site malicious redirects are a warning to developers

A coding error that redirected NHS website visitors to malicious content should be a warning to developers, say security experts

A coding error on the NHS.uk website that resulted in visitors being directed to malicious and unrelated advertising websites should serve as a warning to developers, say security experts.

The NHS’s Health and Social Care Information Centre (HSCIC) rushed out a fix for the error that affected more than 800 links.

“We can confirm that this problem has arisen due to an internal coding error and that NHS Choices has not been maliciously attacked,” HSCIC said in a statement.

The NHS claims it was during routine checks that it was alerted to the problem, which was reported on social media site Reddit by a user with the handle Muzzers.

“So while attempting to access flu shot information I stumbled upon a page which redirected me to an advertisement. Digging a bit deeper I found hundreds more pages which redirect to either an advertisement or malware-infested page,” wrote Muzzers.

More on Web application security

  • Web application firewalls may not fix Web application security issues
  • Insider edition: Web application security
  • Tackling Web application security through secure software development
  • Optimising performance and security of web-based software
  • W3af tutorial: How to use w3af for a Web application security scan
  • Using free Web application security scanning tools to secure Web apps
  • Web application testing: Three lessons
  • An introduction to Web application threat modeling

The NHS traced the source of the problem to a typographical error. “A developer accidentally put ‘translate.googleaspis.com’ rather than ‘translate.googleapis.com’ as the source for the JavaScript file," it said.

The error went unnoticed until the incorrectly spelled address was registered by someone in the Czech Republic, and was then used to capitalise on the error, according to the BBC.

The NHS said no patient data was affected, but it planned to undertake a full code review and put steps in place to ensure that such malicious redirects do not happen again.

“The lesson for software developers is to be diligent not just with code, but also in testing all the links on every web application,” said Paco Hope, principal consultant at Cigital.

“Not every typo ends in an innocent 404 error. In this case, a simple typo pointed users to a domain owned by hacker who was ready and waiting,” he said.  

The lesson for software developers is to be diligent not just with code, but also in testing all the links on every web application

Paco Hope, Cigital

According to the latest Web Application Security Trends report by Swiss security firm High-Tech Bridge, basic mistakes continue to undermine improved coding practices in web applications.

Failure to delete installation scripts, for example, enables cyber criminals to compromise an entire application, the report said.

This highlights the importance of independent security testing and auditing of web applications, as even professional developers may miss or forget to control vital security points, according to High-Tech Bridge.

The firm found that in-house applications made up 40% of the most vulnerable apps, followed by plug-ins and modules for content management systems (30%).

The report said Cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities are still the most common weaknesses, making up 55% and 20% of all vulnerabilities found in 2013 respectively.

Read more on Hackers and cybercrime prevention

Data Center
Data Management