URL redirect flaw on NBC News website a spammer's dream

NBC and MSNBC have Bitly problems

serverskulls header
Credit: Jen Anderson

A URL redirection flaw on the NBC News website could be used by scammers to give links a false sense of added trust. This is in addition to ongoing abuse of MSNBC's publicly available Bitly API key, which is being used in an active spam campaign.

Redirection:

URL redirect flaws are a common problem in Web development. So common, in fact, that OWASP added them to their Top 10 list in 2013.

On the NBC News website, an account logout page has an open redirect that can be used to point someone anywhere. However, if the custom redirection URL is added to Bitly, a URL shortening service, the long, messy looking URL (1) becomes translated to something cleaner (2), and easily trusted at first glance.

(1)

hxxps://secure.nbcnews.com/_tps/accounts/logout?redirect=http://www.csoonline.com/blog/salted-hash-top-security-news

(2)

hxxp://nbcnews.to/1zXDzgR

However, this URL direction problem isn't the only thing that NBC is dealing with today.

Weight loss scamming:

Scammers have abused MSNBC's Bitly API key in order to propagate a spam campaign pushing weight loss products.

A single URL used in this scheme has gained more than 2,000 clicks, simply because it comes from an hxxp://on.msnbc.com address.

Bitly has been contacted, and the referrals from their shortened URL to the spammer's domain have stopped. However, because the API key used by MSNBC is still valid, all the scammers need to do is regenerate their URLs and shorten them again.

This type of problem was expected by Bitly when they introduced the custom URL scheme. It's addressed in their API documentation, which states that all requests to the Bitly API should be done server-side, on the back end.

Update:

Some of you may have come to this story due to a proof-of-concept post that leveraged the open redirect script. If so, the full URL used is below (3), along with the shortened version (4).

As of 2:12 p.m. EST on 21 July 2014, Bitly has fixed the forwarding on the URL and changed it

(3)

hxxps://secure.nbcnews.com/_tps/accounts/logout?redirect=http://www.csoonline.com/article/2455117/application-security/url-redirect-flaw-on-nbc-news-website-a-spammers-dream.html

(4)

hxxp://nbcnews.to/1qXQ9Xm

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.