UK Department for Transport caught inadvertently serving pornographic content to site visitors

A “dormant” webpage belonging to the UK government’s Department of Transport (DfT) has been deleted after it was found to be serving up pornographic content to site visitors.

Last week, UK tech blog The Crow published details of an apparent oversight from gov.uk website administrators, amid claims that someone had “set the DNS record for charts.dft.gov.uk to point away from Her Majesty’s own servers to a place better suited to hosting adult material”.

While the webpage in question was subsequently taken down, archived snapshots of charts.dft.gov.uk (which we will not link to here for obvious reasons) shows that it was indeed serving up pornographic content.

News of the NSFW snafu soon appeared on Ycombinator’s Hacker News, among other forums.

While there was some speculation over the exact cause, the consensus was that the issue resulted from a ‘dangling’ DNS record that allowed an unauthorized third party to carry out a subdomain takeover.

A DfT spokesperson told The Daily Swig that the issue has now been fixed.

“A disused, dormant page of the Department for Transport’s Gov.uk website has been used,” they said on Friday (November 26). “No information or data has been lost or compromised. The website address has since been permanently deleted.”

Subdomain takeovers are a common fixture in the bug bounty market. While they typically garner low payouts, there have been some notable examples of subdomain takeovers being used as part of more complex attacks that allow unauthorized third parties to pivot and gain entry to critical company infrastructure.

Source: https://portswigger.net/daily-swig/uk-department-for-transport-caught-inadvertently-serving-pornographic-content-to-site-visitors