Blog content

UK Department for Transport caught inadvertently serving pornographic content to site visitors

James Walker November 29, 2021 at 12:32 UTC

Updated: November 29, 2021 at 12:39 UTC

“The page has since been permanently deleted,” a government spokesperson told the Daily Swig

A “dormant” webpage owned by the UK Department for Transport (DfT) was taken down after it was discovered that it was serving pornographic content to site visitors.

Last week, the British tech blog The crow published details apparent oversight on the part of the administrators of the gov.uk website, amid claims that someone had “set the DNS record for charts.dft.gov.uk to point Her Majesty’s own servers to a place better suited to hosting adult content “.

While the webpage in question was subsequently removed, archived snapshots of charts.dft.gov.uk (which we will not link here for obvious reasons) show that it did serve pornographic content.

Learn about the latest government security news from around the world

News of the NSFW snafu soon appeared on News from Ycombinator hackers, among other forums.

Although there has been speculation about the exact cause, the consensus was that the problem resulted from a DNS record “during” that allowed an unauthorized third party to perform a subdomain takeover.

A spokesperson for the DfT said The daily sip that the problem is now resolved.

“A disused and dormant page of the Department of Transport’s Gov.uk website has been used,” they said on Friday (November 26th). “No information or data has been lost or compromised. The website address has since been permanently deleted.

Subdomain takeovers are a common light in the bug bounty market. Although they generally generate low payouts, there have been some notable examples Subdomain takeovers are used in more complex attacks that allow unauthorized third parties to pivot and gain access to critical business infrastructure.

ADVISED Microsoft Moves Forward with Controversial “Buy Now, Pay Later” Feature for Edge Browser