Less than a month after the exposure of a widespread vulnerability on government "open data" websites, another perhaps even more insidious opening for abuse of government websites has come to light. The problem is known as an "unvalidated redirect," and has been found on the websites of the Environmental Protection Agency, the Treasury Department, and even the Senate, among others. The vulnerability is not a new one and could extend back months if not years, and is not an uncommon problem on commercial websites either.
A "redirect" is a web address that automatically opens a webpage or, in many cases, even a completely different website that the original address, or URL, indicated. Generally when a government website directs a user to an external site, a warning or disclaimer appears alerting the user. For instance, the Centers for Medicare and Medicaid Services website places a small "world" icon next to external links, and the site has a page explaining the disclaimer:
Other government sites follow a different protocol where a special disclaimer page is displayed for several seconds after the external link is clicked before the users is automatically taken to the new page or site. While this protocol is not a problem in and of itself, if the website code does not restrict the ability to redirect only to sites approved by host sites, any web address can be substituted. This can allow unscrupulous website operators to provide a link in a website or an email that begins with a legitimate government address, such as senate.gov or epa.gov, but then quickly and automatically transport users to any website they choose.
The website for the Senate is an especially serious example of this vulnerability because of the complete lack of a disclaimer on the "exit" page before the redirect takes place. Senators often will direct website users to pertinent news articles, stories concerning constituent issues, or government services on other federal websites. However, the following screen is all that users see before they are bounced to the new page or site:
Since the script for the exit page is not restricted, anyone can establish a link by entering a [web address] after this prefix: http://www.senate.gov/cgi-bin/exitmsg?url=[web address] For example, this link directs users to Google.com after bouncing off of Senate.gov: <http://www.senate.gov/cgi-bin/exitmsg?url=http://www.google.com> But replacing "www.google.com" with any website works just the same way to direct users to that site. This opening could easily be exploited by inserting this type of link in a phishing email or a website and inviting users to simply click on what appears to be a Senate website address but in reality is a redirect to a phishing site. At that point, personal information could be solicited with the apparent endorsement of the Senate.
A bold scammer could even explicitly tell users, for example, that "you will see a message that you are exiting the Senate web server system and being transferred to our secure data collection site." Without a restriction on redirect links or even a disclaimer, there is nothing to warn an unsuspecting user that the Senate is in no way connected with the linked site.
Treasury Secretary Jack Lew refused to answer Fox host Chris Wallace's simple question this morning: How many people have signed up for Obamacare?
"I'm going to ask you one last time," said Wallace, "because, forgive me sir, you haven't answered it: do you not know how many people signed up, which would seem to indicate another major software glitch, or is it that the numbers are embarrassingly small?"
At a pre-Independence Day naturalization ceremony at the Treasury Department Wednesday, Treasury Secretary Jack Lew used about one-third of his address to a roomful of newly sworn-in citizens to criticize the America’s immigration system and plug the current immigration legislation. According to prepared remarks, he told these newest Americans that "too many immigrants do not get a fair shot at the American dream.
The Internal Revenue Service has come under heavy criticism from both Republicans and Democrats in recent days after an inspector general's report detailed "inappropriate criteria" used to identify certain applications of mainly conservative organizations for special review resulting in long delays in processing and invasive inquiries.
The Treasury Department "fully licensed" Beyonce and Jay Z's trip to Cuba, according to Reuters.
"American pop star Beyonce and rapper husband Jay Z visited Havana last week on a cultural trip that was fully licensed by the United States Treasury Department, according to a source familiar with the trip," Reuters reports.
Jack Lew, who has been nominated as the next treasury secretary, oversaw up as many as a hundred Cayman Island investments when he worked at Citi Bank as chief operating officer of the alternative investment services unit, SEC disclosures reveal. It has previously been reported that Lew himself had been invested in a fund that was based in the Cayman Islands.
In the 2008 presidential campaign, Barack Obama called Cayman Island investments "the biggest tax scam on record." Now, in 2013, President Obama has nominated Jack Lew, who had $56,000 in Cayman Island investments, to be the next secretary of Treasury.
By choosing White House chief of staff Jacob Lew as his new treasury secretary, President Obama is bracing himself to battle congressional Republicans in 2013, not seeking bipartisan compromises with them. If confirmed, Lew would succeed Tim Geithner in the treasury job.
The Treasury Department is telling its staff not to worry about the "fiscal cliff," an internal memorandum sent to all employees reveals. The memo, which is signed by the deputy secretary of the treasury, Neal S. Wolin, states that "there is no reason why both sides should not be able to come together" to reach a deal.
Senator Jeff Sessions, the ranking member on the Senate Budget Committee, is releasing a statement this evening that claims President Barack Obama's "secret" plan "increases spending by more than $1 trillion above the current baseline."
"In other words," Sessions adds, "spending will increase $1 trillion above the already projected growth after enactment of the Budget Control Act as part of the last debt deal. It achieves not one dollar in net spending reduction or debt reduction, and it continues the country on a dangerously unsustainable debt path."
Always looking "forward," President Obama has asked Bill Clinton—who was elected to the presidency 20 years ago—to speak tonight and suggest to the American people (whether explicitly or implicitly) that this is really a choice between Clinton and George W. Bush, rather than between Obama and Mitt Romney. If you're Obama, this beats running on your record.