7:01 AM, Mar 10, 2014 • By JERYL BIER
Less than a month after the exposure of a widespread vulnerability on government "open data" websites, another perhaps even more insidious opening for abuse of government websites has come to light. The problem is known as an "unvalidated redirect," and has been found on the websites of the Environmental Protection Agency, the Treasury Department, and even the Senate, among others. The vulnerability is not a new one and could extend back months if not years, and is not an uncommon problem on commercial websites either.
A "redirect" is a web address that automatically opens a webpage or, in many cases, even a completely different website that the original address, or URL, indicated. Generally when a government website directs a user to an external site, a warning or disclaimer appears alerting the user. For instance, the Centers for Medicare and Medicaid Services website places a small "world" icon next to external links, and the site has a page explaining the disclaimer:
Other government sites follow a different protocol where a special disclaimer page is displayed for several seconds after the external link is clicked before the users is automatically taken to the new page or site. While this protocol is not a problem in and of itself, if the website code does not restrict the ability to redirect only to sites approved by host sites, any web address can be substituted. This can allow unscrupulous website operators to provide a link in a website or an email that begins with a legitimate government address, such as senate.gov or epa.gov, but then quickly and automatically transport users to any website they choose.
The website for the Senate is an especially serious example of this vulnerability because of the complete lack of a disclaimer on the "exit" page before the redirect takes place. Senators often will direct website users to pertinent news articles, stories concerning constituent issues, or government services on other federal websites. However, the following screen is all that users see before they are bounced to the new page or site:
Since the script for the exit page is not restricted, anyone can establish a link by entering a [web address] after this prefix: http://www.senate.gov/cgi-bin/exitmsg?url=[web address] For example, this link directs users to Google.com after bouncing off of Senate.gov: <http://www.senate.gov/cgi-bin/exitmsg?url=http://www.google.com> But replacing "www.google.com" with any website works just the same way to direct users to that site. This opening could easily be exploited by inserting this type of link in a phishing email or a website and inviting users to simply click on what appears to be a Senate website address but in reality is a redirect to a phishing site. At that point, personal information could be solicited with the apparent endorsement of the Senate.
A bold scammer could even explicitly tell users, for example, that "you will see a message that you are exiting the Senate web server system and being transferred to our secure data collection site." Without a restriction on redirect links or even a disclaimer, there is nothing to warn an unsuspecting user that the Senate is in no way connected with the linked site.
7:34 AM, Feb 25, 2014 • By DANIEL HALPER
Steve Hayes, with Elise Viebeck and Jason Riley, last night on Fox News:
8:01 AM, Jan 15, 2014 • By JERYL BIER
The EPA awarded $461,368 in grants this week for various environmental projects along the U.S.-Mexico border. About half of the funds went to projects in Calexico, CA and Phoenix, AZ, but the remaining $230,000 went to two cities on the Mexican side of the border, Nogales and Ensenada.
Dec 30, 2013, Vol. 19, No. 16 • By THE SCRAPBOOK
Truth to tell, The Scrapbook has gotten as good a laugh as anyone out of the saga of John C. Beale, the retired Environmental Protection Agency official—Princeton grad, onetime deputy assistant administrator in the Office of Air and Radiation, congressionally certified expert on global warming—who has been sentenced to 32 months in prison for stealing nearly a million dollars from the federal government.
Oct 7, 2013, Vol. 19, No. 05 • By MARK HEMINGWAY
On September 20, the Environmental Protection Agency proposed strict new limits on emissions from coal-fired power plants. Energy industry critics, along with a number of influential unions, were quick to decry them. The regulations would limit carbon emissions for new coal plants to 1,100 pounds per megawatt hour. The technology to meet this standard, which involves pumping carbon dioxide deep underground, is so expensive that the coal industry says it will effectively prevent new coal plants from being built.
Jun 24, 2013, Vol. 18, No. 39 • By THE SCRAPBOOK
It’s going to be a long summer in Washington. With so many scandals, news organizations that have spent years sweeping startling allegations about the Obama administration under the rug now find themselves overwhelmed. Woe betide the average citizen who just wants to know what the heck his government is up to.
3:52 PM, Jun 4, 2013 • By DANIEL HALPER
President Obama today nominated three liberals to fill longstanding judicial vacancies on the important Court of Appeals for the District of Columbia. Will the Senate rubber-stamp the president's nominees—even though the court's fine as it is, with the eight judges currently serving enjoying the lightest caseload in the country? In 2006, when the Senate refused to consider the nomination of Peter Keisler to that court, Senator Ted Kennedy stressed that “we should consider these caseload declines carefully before we fill the current vacancy. American taxpayers deserve no less.” Since then, the court has only added more judges and heard fewer cases.
12:20 PM, Jun 4, 2013 • By GEOFFREY NORMAN
High officials in the Obama administration are using "secret e-mail accounts," according to the Associated Press, and stonewalling when asked about them, even by establishment media operations.
11:36 AM, Dec 27, 2012 • By DANIEL HALPER
The New York Times reports:
Lisa P. Jackson is stepping down as administrator of the Environmental Protection Agency after a four-year tenure that began with high hopes of sweeping action to address climate change and other environmental ills but ended with a series of rear-guard actions to defend the agency against challenges from industry, Republicans in Congress and, at times, the Obama White House.
9:22 AM, Dec 15, 2012 • By DANIEL HALPER
Two members of Congress sent a letter to EPA administrator Lisa Jackson over her use of the alias "Richard Windsor." The congressmen, Fred Upton and Cliff Stearns, want Jackson to explain her actions.
3:16 PM, Nov 27, 2012 • By GEOFFREY NORMAN
The world's greatest deliberative body (just ask any of its members) got hung up over what is called a "Sportsmen's Bill." The impasse came on the first day after the Thanksgiving holiday, which is, traditionally, a time when hunters like to be in the deer woods and duck marshes, which the bill supposedly would have expanded and made more accessible. This is one of those bills that is said to "enjoy wide, bipartisan support."
Obama deserts coal; Democrats desert Obama.Sep 24, 2012, Vol. 18, No. 02 • By HENRY PAYNE
Charleston, W. Va.
The billboard high over I-64 outside the capital of this blue-collar state minces no words: “Obama’s NO JOBS ZONE: The President talks about creating jobs but his EPA is destroying jobs.”
Businessmen across nearly every American industry cite the Obama administration’s regulatory assault—from Obamacare to bank lending restrictions to fuel-economy mandates—as a cause of America’s jobless recovery. But perhaps no industry can count job losses the White House is causing like the coal industry.