Cyber Security Threat Summary:
The open redirect vulnerability plaguing NASA's Astrobiology website was independently discovered by the Cybernews research team. Upon finding the flaw, it was revealed that a researcher from an open bug bounty program had already identified it a few months earlier on January 14th, 2023. However, the agency failed to address and fix the vulnerability, exposing global users to risks until May 2023. Attackers could have exploited the flaw to redirect unsuspecting users to malicious websites, luring them into providing sensitive data such as login credentials and credit card numbers.

NASA has been contacted multiple times since early April, but no response has been received prior to the publication of this article. The open redirect flaw can be likened to a dishonest taxi driver. When you hail a cab and provide your desired destination, instead of taking you there, the driver leads you to an undesirable neighborhood.

In a similar manner, users attempting to access astrobiology[.]nasa[.]gov could have easily been redirected to a malicious website. Normally, web applications validate or sanitize user-provided input, such as a URL or a parameter, to prevent malicious redirects from occurring. According to Cybernews researchers, "The vulnerability can be exploited by attackers to trick users into visiting malicious websites or phishing pages by disguising the malicious URL as a legitimate one."

Security Officer Comments:
The open redirect vulnerability found in NASA's website poses grave risks. By introducing additional parameters, an attacker gains the ability to redirect users to destinations of their choosing. This deceitful redirection might even mimic NASA's official page, tricking unsuspecting users into submitting their credit card details. Additionally, threat actors can exploit these open redirect vulnerabilities to force users onto websites that immediately download malware onto their devices. Another exploitative tactic involves manipulating search engine rankings through redirects to sites harboring spam or low-quality content. While no concrete evidence of exploitation on NASA's website exists, both the independent Cybernews research team and the open bug bounty program researcher discovered this flaw. Considering the prolonged existence of this open redirect vulnerability, it is plausible that other individuals with malicious intent have also stumbled upon this discovery.

Suggested Correction(s):
To mitigate the risk of open redirect vulnerabilities, web developers need to implement proper input validation and sanitization techniques to ensure that user-supplied input for redirection is secure and limited to trusted destinations.

Link(s):
https://securityaffairs.com/147150/security/nasa-website-flaw-jeopardizes-astrobiology-fans.html