News and features

Surrey Computing student unearths NHS website hack

Spam content discovered on health services’ flu jab page.

Surrey Computing undergraduate, Laurence Cartwright, earlier this week spotted that a developer for the NHS.uk Choices webpage had misspelt a redirect web address to Google (googleapis.com) as ‘googleaspis.com’.

“The googleaspis.com domain was later registered to a Czech address that took advantage of this oversight,” Laurence explained. “This allowed for the free distribution of client-side content, such as malware and advertisements.”

The Czech Republic cyber-squatter had registered the incorrect domain address and bugged it with adverts, profiting from innocent web users who were following the googleaspis.com redirect URL that the NHS had displayed.

Cartwright found that a plethora of other affected NHS pages included those on dementia, mental health and pregnancy.

Laurence’s discovery was publicised on www.reddit.com and picked up by press including the BBC, Guardian and Independent.

The NHS’ Health and Social Care Information Centre (HSCIC) commented at the time, “NHS Choices is treating this issue with urgency, and once resolved, we plan to undertake a thorough and detailed analysis to ensure that a full code review is undertaken and steps put in place to ensure no reoccurrence.”

Professor Anthony T.S. Ho, Head of the Department of Computing at Surrey, said, “This simple error in the source code shows how easy it is for organisations to be taken advantage of by cyber-squatters, if they don’t ensure their domain name/URLs have been set up correctly.

“In the future, businesses need to be aware of the importance of this issue, particularly in having a proper code review policy so that they can avoid it happening to them. Hopefully, Laurence’s finding would serve as a warning to others.”

Related news and features