'Coding error' on NHS website redirected users to malicious sites

Coding error in nhs.co.uk exploited by Czech coder to spread malware

"An internal coding error" has been held responsible for redirecting visitors to the NHS website to malicious websites containing malware and advertising.

More than 800 pages on nhs.co.uk automatically redirected users to websites that they had no intention of visiting. The problem was brought to light by a Reddit user attempting to find routine health information.

"While attempting to access flu shot information I stumbled upon a page which redirected me to an advertisement. Digging a bit deeper I found hundreds more pages which redirect to either an advertisement or a malware-infested page," wrote "Muzzers".

Muzzers was subsequently contacted by the NHS, who said they were aware of the issue and were working to fix it. The problem has since been resolved and the NHS said it was due to a coding error, rather than a malicious attack.

"An internal coding error has caused an incorrect redirect on some pages on NHS Choices since Sunday evening," said a statement.

"Routine security checks alerted us to this problem on Monday morning at which point we identified the problem and corrected the code."

An NHS coder mistakenly wrote "googleaspis.com" rather than "googleapis.com" when producing the website, an error that was picked up on by a ne'er-do-well in the Czech Republic, who registered the erroneous address in order to redirect users to other websites.

Sean Power, security operations manager at DOSarrest Internet Security, recommends organisations like the NHS run regular scans and vulnerability checks to test the security of their websites.

"Any decent hacker will use a scanner to check out the vulnerabilities in a website, especially such a high profile one such as the NHS," he said.

"With the rapid rate that vulnerabilities are discovered, frequent vulnerability scans with a current scanner are vital to ensure that the site remains protected at all times.

"In addition to running scans at least every quarter, it is strongly recommended to run a vulnerability scan on your website after making any moderate or larger updates to your site or infrastructure to ensure that no new vulnerabilities have been introduced," Power concluded

The NHS added that it's working to ensure that such an issue does not occur again.

"NHS Choices is treating this issue with urgency and once resolved we plan to undertake a thorough and detailed analysis to ensure that a full code review is undertaken and steps put in place to ensure no reoccurrence," said a statement.