Tech

Why Government and Military Sites Are Hosting Porn and Viagra Ads

A security researcher believes the issue comes down to a specific government contractor called Laserfiche.
A tank and viagra
Image: Raphael Gaillarde/Contributor, Konstantin Fedorov, Emily Lipstein/Motherboard
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Over the past year, various government and military websites have been hosting some walls of text you wouldn't ordinarily expect to see on .gov sites.

"How are erections measured while a man sleeps? Two small rings are placed around the penis, one at the tip and one at the base," one message on a U.S. military website read.

According to a security researcher, the reason a lot of government websites are hosting these spammy ads is a vulnerability in a piece of software used by an array of government agencies. The vulnerability allowed third parties to push files to these sites without the site owners' permission.

Advertisement

"This vulnerability created phishing lures on .gov and .mil domains that would push visitors into malicious redirects, and potentially target these victims with other exploits," Zach Edwards, the security researcher, told Motherboard in an online chat.

Some of the messages include adverts for viagra and porn, according to a video Edwards made to demonstrate the issue.

"I've seen this on probably 50 different government subdomains," Edwards added in the video. Some impacted sites included Senator John Tester's site and one belonging to the Minnesota National Guard, both of which were pushing viagra products.

"100% of the .gov sites I've reported have cleaned it after I reported it, but it's still constantly happening," Edwards told Motherboard.

The source of at least some of these uploads is a company called Laserfiche, according to Edwards. Laserfiche is a government software provider that makes content management systems. The company has contracts with the Army, the Navy, the FBI, and more, according to public procurement records.

Advertisement

Edwards said he figured out at least some of the sketchy uploads were linked to Laserfiche because of an Idaho.gov domain hosting the offending files and displaying a specific Laserfiche error message. Some other messages include ones advertising ingame currency for the massively popular game platform Roblox, or others advertising alleged Xbox gift card generators, according to a particular Google search.

In response to Edwards contacting Laserfiche about the issue, the company said that the vulnerability allows an unauthorized party to temporarily upload files to a site, according to a copy of the email Edwards shared with Motherboard.

Do you know about any compromises of government or military sites? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.

In a recent announcement, Laserfiche disclosed that file upload vulnerability publicly. Edwards believes this was the vulnerability responsible for the uploads on government sites.

"The vulnerability described here in this advisory is being exploited in a way where an unauthenticated third party can use Laserfiche Forms to temporarily host uploaded files for distribution," the Laserfiche announcement reads. Laserfiche has released various security updates, some of which reduced the window of time where an uploaded file can be shared to five minutes. The company told Motherboard the patches are for major versions of Laserfiche software released in the last five years.

Advertisement

Laserfiche also released a cleanup tool for impacted customers to help remove unauthorized uploads.

In a follow-up email to Motherboard, Laserfiche said "We have not attributed any spike of scam PDFs hosted on .gov domains directly to this specific vulnerability." In an earlier email to Edwards, the company did not deny being the source of some of the uploads.

"There are a significant number of cities, states and federal agencies, including military agencies, which use Laserfiche and should immediately install the patch and determine whether the other remediation steps are required," Edwards said.  "For any Laserfiche vendors who are using an older version of software that does not have the fix yet, those agencies should be encouraged to either upgrade their software, or stay on alert," he added.

Laserfiche told Motherboard in a statement that "We were made aware of a security vulnerability in Laserfiche Forms that allows unauthenticated third parties to access a public form through a web browser and use the form submission as a temporary file host to share an uploaded file for up to 24 hours. Laserfiche is working with solution providers and customers to apply security updates for Laserfiche Forms that restrict access to or remove this download link sharing feature altogether. Customer data was not impacted and such data is not accessible to outside third parties as a result of this vulnerability. We continue to monitor the situation and remain in contact with our solution providers and customers to address the issue."

Subscribe to our cybersecurity podcast, CYBER.