‘The page has since been permanently deleted’, a government spokesperson told The Daily Swig
A “dormant” webpage belonging to the UK government’s Department of Transport (DfT) has been deleted after it was found to be serving up pornographic content to site visitors.
Last week, UK tech blog The Crow published details of an apparent oversight from gov.uk website administrators, amid claims that someone had “set the DNS record for charts.dft.gov.uk to point away from Her Majesty’s own servers to a place better suited to hosting adult material”.
While the webpage in question was subsequently taken down, archived snapshots of charts.dft.gov.uk (which we will not link to here for obvious reasons) shows that it was indeed serving up pornographic content.
News of the NSFW snafu soon appeared on Ycombinator’s Hacker News, among other forums.
While there was some speculation over the exact cause, the consensus was that the issue resulted from a ‘dangling’ DNS record that allowed an unauthorized third party to carry out a subdomain takeover.
A DfT spokesperson told The Daily Swig that the issue has now been fixed.
“A disused, dormant page of the Department for Transport’s Gov.uk website has been used,” they said on Friday (November 26). “No information or data has been lost or compromised. The website address has since been permanently deleted.”
Subdomain takeovers are a common fixture in the bug bounty market. While they typically garner low payouts, there have been some notable examples of subdomain takeovers being used as part of more complex attacks that allow unauthorized third parties to pivot and gain entry to critical company infrastructure.
Offering insight into the subdomain takeover threat landscape, Shlomie Liberow, principal security architect at HackerOne, told The Daily Swig: “The increased reliance on cloud services means we’re seeing more DNS configuration changes, which can lead to an unauthorized actor claiming ownership over a cloud resource.”
“The impact to the business varies, but such a takeover can be used to support phishing attacks or bypass existing security controls such as Content Security Policy (CSP) or Cross Original Resource Sharing (CORS) configurations.”
Liberow added: “Avoid unused, or defunct, services or web pages being exploited in this way by auditing your assets and decommissioning any services that are no longer in use.”