Broken link hijacking
What is broken link hijacking?
In a broken link hijacking (BLH) attack, the attacker takes advantage of invalid external links. If your website or web application contains outbound links or is loading resources from external URLs and those resources are no longer available (for example, due to an expired domain), attackers can use these links to perform defacement, impersonation, phishing, or cross-site scripting attacks. BLH attacks are also possible if you employ third-party services like file hosting or link shortening, for example, on social media.
How does broken link hijacking work?
Expired domains are the cause of the two most popular types of broken link hijacking attacks. These could include domains once owned by an organization or domains belonging to less common redirection/link-shortening services, file hosting services, or content delivery networks (CDNs).
For example, your company could be using an external link-shortening service to improve the user experience by shortening URLs in tweets or LinkedIn posts. If the link shortener goes out of business and loses control of the domain, any published links that utilized this service will stop working. If an attacker then obtains the domain used by the defunct third-party service, they can redirect users to their own harmful sites instead of your original content, for example, to distribute malware. It’s worth noting that Twitter and other social media platforms often automatically parse links and provide previews of any visual material, such as a video. As a result, a successful attack may embed offensive content in all of your prior postings in order to deface your brand.
For expired domains that used to belong to your company, the most serious risk is impersonation. If you hold a domain and do not renew its registration, an attacker who takes over that domain may exploit new and existing links that include that domain name to elicit sensitive information via spoofed web pages, conduct phishing attacks based on your reputation, or take over email and social media accounts registered using the expired domain.
XSS attacks are another major risk associated with broken link hijacking. Many websites and web apps use scripts loaded from external sources, including scripts that integrate with an external traffic analyzer (like Google Analytics). If the traffic analyzer company goes out of business or otherwise loses control of its domain, your pages will have a broken JavaScript link. If an attacker then gains control of the traffic analyzer’s domain, they will be able to inject malicious scripts that are automatically loaded by your web pages with each visit instead of the analyzer. This results in a stored cross-site scripting attack with potentially significant repercussions.
Examples of broken link hijacking
With thousands of domains expiring every day, broken links are common. Not all of these result in broken link hijacking but all have the potential to do so. Here are a few noteworthy examples.
- In 1999, Microsoft forgot to renew the passport.com domain used by its Hotmail email service. The renewal was picked up by a random Internet user, who then contacted Network Solutions. Microsoft thanked the user with a $500 check, which was then auctioned off for charity. Microsoft made another mistake in 2003, this time allowing a private individual to purchase the domain hotmail.co.uk, fortunately also without malicious intent.
- In 2010, Foursquare failed to renew its domain name. Luckily, their homepage was simply replaced by a default hosting landing page (GoDaddy), and no one purchased the domain before it was renewed.
- In 2013, one of the largest banks in the United States, Regions Bank, experienced a similar mishap. Failure to renew their primary domain resulted in a nearly week-long service outage.
- In 2017, a vulnerability researcher known as MisterCh0c conducted an analysis that allowed him to hijack tweets from Katy Perry, Shakira, Jennifer Lopez, Maroon 5, and others. These Twitter accounts had links to either non-existent redirection/link-shortening services or links to expired domains. From the top 1000 Twitter accounts, MisterCh0c was able to locate 109 accessible domains. This resulted in the creation of twitterBFTD, a tool that allows you to determine whether your tweets are affected by this issue.
In the past, well-known link-shortening services have also gone out of business or been retired. The discontinuation of Google’s goo.gl service did not result in BLH, but the closure of tr.im in 2009 resulted in the domain being available for sale.
How to detect broken link hijacking?
For some vulnerability scanners, notably Acunetix by Invicti, security scan results include information about broken links that return 404 or similar errors. This also covers external links that may result in broken link hijacking. If not, you can use broken link checker tools like Siteinspector or Octopus. Many SEO packages also have functionality for detecting incorrect external links.
Even so, dead link checkers can only detect a small number of potential BLH targets because they can only find BLH if the link fails. If the domain provider decides to create their own redirect and landing page for every URL within an expired domain (as is standard practice), crawls will not be able to distinguish between this placeholder and a valid page.
The only method to ensure comprehensive security is to do manual penetration testing on a regular basis to detect such occurrences. Unfortunately, pentesters frequently ignore damaged links, presumably because they are considered an administrative rather than security issue. For example, when top HackerOne researchers were asked if they check for broken links as part of bug bounty programs, the vast majority said no.
How to prevent broken link hijacking?
The easiest strategy to avoid broken link hijacking on social media and in your own web assets is to employ only reputable redirection and file hosting providers that have been in business for many years and are unlikely to shut down unexpectedly. An even more cybersecurity-focused approach is to create such a service using your own domain. If your web application is built on a platform like WordPress, for example, there are numerous URL-shortening plugins available.
To avoid exploitation of your own expired domains, implement an effective domain renewal plan that ensures no domain is left hanging. The downside of this approach is that even temporary or legacy domains, such as those using outdated brand, product, or campaign names, need to be renewed indefinitely to prevent criminals from misusing your brand and reputation in the future.
Frequently asked questions
What is broken link hijacking?
Broken link hijacking (BLH) is a type of attack in which an attacker uses broken links and expired domains against you. Such attacks are possible if your website or web application has outbound links or loads resources from external URLs, but also if you use third-party services such as link shortening or file hosting to publish on social media.
Read about some famous domain expirations that could have resulted in BLH.
How dangerous is broken link hijacking?
Attackers can exploit broken link hijacking to launch a variety of attacks, most commonly to propagate malware or perform phishing using your domain authority. If the attack is specifically targeted at your company, BLH may be used for defacement or impersonation. Finally, BLH can result in stored cross-site scripting.
Learn more about stored (persistent) cross-site scripting and its potential consequences.
How to prevent broken link hijacking?
To minimize the risk of broken link hijacking, avoid using third-party services for link shortening and file hosting. If you must use a third-party service because you cannot develop or host your own, pick well-known ones that have been operational for a long time and are unlikely to go out of business. And above all, make certain that none of your own domains expire.
Use Acunetix by Invicti to automatically detect broken links that could lead to BLH and XSS.
Written by: Tomasz Andrzej Nidecki, reviewed by: Benjamin Daniel Mussler