FCKeditor Exploit: How Open Redirect Vulnerabilities Fuel SEO Poisoning

What happened during Fckeditor exploit?

Malicious individuals worldwide are exploiting an outdated CMS editor, FCKeditor, discontinued 14 years ago, to breach educational and government organizations. They aim to distort search results by adding harmful websites and scams. This includes sites like Virginia's government site, Austin, Texas's government site, Spain's government site, and Yellow Pages Canada.

Screenshot of FCKEditor

The attackers in this campaign exploited open redirect requests associated with FCKeditor, a web text editor that was popular in the past. FCKeditor allows users to directly edit HTML content on web pages.

twitter message from CKEditor

Who is affected by FCKeditor attack?

Hackers worldwide have exploited FCKeditor to manipulate search results with harmful sites or scams, affecting schools, government offices, and companies. This exploitation puts people at risk of scams or viruses during online searches. The campaign also targets government and business websites that still use the old FCKeditor plugin. This includes sites like Virginia's government site, Austin, Texas's government site, Spain's government site, and Yellow Pages Canada.

Open Redirect is a security vulnerability that occurs when an application unsafely uses user-controllable data as the target for redirection. This vulnerability allows attackers to divert users from a trusted site to a malicious site of their choice, frequently for phishing or other malicious intentions.

Open Redirect

Imagine you're using an app, and you receive a link that seems harmless, like clicking to view a recommended item. However, when you click it, instead of going where you expect, you're directed to an entirely different location, possibly a site attempting to steal your data or infect your device.

Normal API call:

GET /api/items/123

API call with open redirect vulnerability:

GET /api/redirect?url=https://www.malicious-site.com

This occurs because the app didn't properly verify where the link was directing you. For instance, if you're using an app like exampleapp.com, and you tap on a link promising to take you to safe-site.com, but it actually sends you to dangerous-site.com.

The attacker manipulates the URL to divert users to a phishing site, aiming to steal their login details.

GET /api/redirect?url=https://www.phishingsite.com/login

Some Open Redirect CVES to Check:

CVE-2023-22797 : Before Rails 7.0.4.1, attackers could exploit an open redirect vulnerability by using untrusted user input in the redirect_to function.

CVE-2023-38574 : Before version 7.9.6, attackers could exploit an open redirect vulnerability in VI Web Client to redirect users to malicious sites via crafted URLs.

CVE-2019-11016 : The Qualys Web Application Scanning team found and reported an open redirect vulnerability, CVE-2019-11016, in the Elgg framework before 1.12.18 and 2.3.x before 2.3.11, earlier this year, and the Elgg team promptly fixed it.

CVE-2023-28370 : Remote unauthenticated attackers can conduct phishing attacks through specially crafted URLs in Tornado versions 6.3.1 and earlier due to an open redirect vulnerability.

What is SEO Poisoining?

SEO poisoning is a tactic used by hackers where they manipulate search engine results to display their malicious websites. They do this by exploiting vulnerabilities in trusted websites to redirect users to harmful sites. These harmful URLs are then indexed by search engines and displayed in search results. This can lead users to scams, phishing attempts, or malware that can steal their personal information or infect their devices.

When a hacker exploits an open redirect vulnerability on a trusted website, they can manipulate the URL to redirect users to malicious sites without their knowledge. These redirected links can then be indexed by search engines like Google and show up in search results.

Now, imagine someone searching for a popular topic like best online deals on Google. The search engine aims to provide the most relevant and trustworthy results, so it ranks websites based on factors like popularity, relevance, and credibility.

Here's where the hacker's strategy comes into play: by using open redirect URLs on high-ranking, trusted websites, they can deceive the search engine into thinking that their malicious sites are reputable and relevant to the search query.

As a result, when users click on these manipulated links in the search results, they're unknowingly directed to harmful websites instead of the legitimate ones they were expecting. These malicious sites could contain scams, phishing attempts, or malware designed to steal personal information or infect their devices.

Since search engines index these redirected links and display them in search results, they can remain active and visible for a considerable amount of time before being detected and removed. This gives hackers ample opportunity to continue their malicious activities, posing significant risks to the cybersecurity and privacy of users.

Some realworld examples of SEO Poisoining

The Blender 3D SEO poisoning: ****On January 18, 2023, a regular Google search for the brand Blender 3D, which is open-source software for creating 3D graphics.

SEO poisoning on healthcare sector: In April, security researchers at BlackBerry reported they found more SEO poisoning attacks, especially in healthcare, between December 2022 and February 2023, and predicted this trend would keep going.

SEO poisoning on E-Commerce stores : Since 2020, a group of cybercriminals from China has been launching an SEO poisoning campaign, specifically targeting popular e-commerce websites worldwide. The attack focuses on about 617 online stores in countries like Chile, Mexico, Colombia, Spain, Portugal, France, and Italy.

Targeting Outdated FCKeditor Plugin

A cybersecurity researcher, @g0njxa, found a sneaky redirect scheme when they noticed Google search results promoting 'Free V Bucks' generators, used for Fortnite game currency. These results were showing up on university websites.

Google dork result of FCKeditor

The attackers in this scheme used an old web text editor called FCKeditor. This editor lets people edit web pages directly. But it's outdated and has a flaw that lets attackers do these redirects.

Back in 2009, FCKeditor was replaced by CKEditor, which is more modern and safer to use. But some websites still have the old ones.

tweet on fckeditor exploitation

In a Twitter thread, g0njxa lists the various organizations targeted by this campaign, primarily targeting educational institutions, such as MIT, Columbia University, Universitat de Barcelona, Auburn University, University of Washington, Purdue, Tulane, Universidad Central del Ecuador, and the University of Hawaii.

You clearly don’t want your application to have these vulnerabilities. Let’s look at some steps to prevent them.

Steps to prevent Open Redirect vulnerabilities

To protect against open redirect attacks, developers should:

1. Validate User Inputs: Ensure that any user-provided data, especially from URL query strings, is thoroughly validated before processing. For instance, if a user is allowed to input a URL for redirection, verify that it meets expected criteria.

2. Minimize User-Controlled Data in URLs: Whenever possible, avoid including user-controlled data directly in URLs. This reduces the risk of open redirects. Instead, consider using internal identifiers or parameters that aren't directly influenced by user input.

3. Sanitize User Inputs: If you must use user-controlled data in URLs, carefully sanitize it to remove any malicious or unexpected characters. This prevents attackers from injecting harmful payloads into redirection URLs.

4. Utilize OWASP Recommendations: Refer to resources like the OWASP Unvalidated Redirects and Forwards Cheat Sheet for detailed guidance on preventing open redirect vulnerabilities.

5. Whitelist Permitted Target Locations: Establish a whitelist of permitted redirection targets. Redirect requests to these approved destinations while directing all other values to a default, safe location. This approach restricts potential attack vectors by limiting where users can be redirected.

6. Generate Unique IDs for Redirection Targets: Consider generating unique identifiers for each redirection target. Instead of directly using user-controlled names or paths in URLs, use these IDs to map to the appropriate destination. This removes the possibility of users manipulating the redirection URL.

7. Implement Referrer-Policy Headers: Set appropriate Referrer-Policy headers to control the exposure of referrer URLs. By limiting referrer URL visibility, you can mitigate the risk of token leaks and further enhance security against potential attacks leveraging open redirects.

8. Replace Outdated Software: Replace outdated software with newer, more secure alternatives like CKEditor.

How Akto can help?

Akto can help you identify open redirect vulnerabilities with just a single click. Our test library feature includes out of the box tests for these vulnerabilities. Try it out now on your APIs.

Final Thoughts

The recent exploitation of FCKeditor's open redirect vulnerability highlights the critical need for software and system updates. Outdated software exposes vulnerabilities that attackers can leverage for malicious activities. These vulnerabilities impact millions of users and larger entities, including educational institutions, government organizations, and businesses.

As application owners, make sure you maintain software updates, conduct regular security scans, and stay informed about potential threats.