A recent study conducted by our researchers has revealed a concerning cybersecurity threat on the web. We have identified millions of clickable links, which we refer to as “hijackable hyperlinks,” that can redirect users to malicious destinations. These vulnerabilities exist across the entire web, including on trusted websites.
What is particularly alarming is that we have discovered these hijackable hyperlinks on the websites of major companies, religious organizations, financial firms, and even governments. The most concerning aspect is that these hyperlinks can be hijacked without triggering any alarms. Only vigilant users would be able to avoid falling into these traps.
If we were able to find these vulnerabilities, it means that others can as well. Here is what you need to know about this issue.
Hijackable hyperlinks are links on websites that can lead users to phishing sites or other malicious destinations. For example, if you mistakenly enter a wrong web address for your bank, you may end up on a phishing site that impersonates your bank’s website and attempts to steal your personal information. This can result in identity theft, compromised accounts, or financial loss.
Programmers can also inadvertently mistype web addresses in their code, leading users to internet domains that have never been purchased. These are known as phantom domains. If someone purchases these phantom domains, they can hijack the inbound traffic directed towards them. This can expose users to various traps, such as malicious scripts, misinformation, offensive content, viruses, and future hacking techniques.
Our research involved analyzing the entire browsable web using high-performance computing clusters. We processed over 10,000 hard drives’ worth of data and discovered over 572,000 phantom domains with hijackable hyperlinks. These vulnerabilities were found on many trusted websites, including web-based software designed to enforce privacy legislation.
We categorized the errors that caused these vulnerabilities, with most being typos in hyperlinks. Another type of vulnerability we found was placeholder domains, which programmers use when developing websites without specific domains. These placeholder domains are often not updated when design templates are installed on websites, making them hijackable.
To determine if these hijackable hyperlinks could be exploited, we purchased 51 of the phantom domains and observed the inbound traffic. We detected significant traffic coming from the hijacked links compared to similar new domains without hijacked links.
For average web users, it is crucial to be aware that links cannot be trusted. Vigilance is key to avoiding falling for hijacked links.
For website operators and companies, we recommend implementing technical countermeasures. One simple solution is to regularly crawl websites for broken links using free tools. If any broken links are found, they should be fixed promptly to prevent hijacking.
The web has become an integral part of our lives, and data security should no longer be considered a secondary concern. As our dependence on the web deepens, it is essential to prioritize web data security and take necessary precautions to protect ourselves and our information.
