A small error in the code of the U.K.'s National Health Service website recently led to the site redirecting visitors to third-party websites full of advertising and malware information. The agency has responded and fixed the problem, but the incident underscored the consequences that can be brought about by something as simple as a spelling error in a body of code, making the case for tools such as source code analysis software.
A Reddit user who goes by the handle Muzzers first reported the issue, observing that an attempt to access information about a flu shot redirected Muzzers to a new page filled with advertisements. The same issue was discovered for hundreds of links on the site: A full list of 836 malicious links were eventually discovered.
The problem stemmed from a piece of code that referenced the URL "translate.googleaspis.com" instead of the correct address, "translate.googleapis.com." While Muzzers initially attributed this error to a malicious code injection, an NHS Choices spokesperson told The Guardian that it was a developer error. A malicious third party had apparently seized control of the mistyped domain name to deliver advertisements and malware. Beginning on the morning of Feb. 2, users found themselves directed to this faulty URL. The issue had not been apparent until the domain name was purchased by someone in the Czech Republic.
Resolving the error
The NHS contacted Muzzers to explain that it was aware of the issue and was rolling out a fix. The error was discovered by the site's coders in a routine security check on Monday morning, The Guardian reported. The agency said it was going through the code to make sure the error had been corrected across all pages.
"We can confirm that this problem has arisen due to an internal coding error and that NHS Choices has not been maliciously attacked," the agency noted in a statement. "NHS Choices is treating this issue with urgency and once resolved we plan to undertake a thorough and detailed analysis to ensure that a full code review is undertaken and steps put in place to ensure no reoccurrence."
While initial concerns over the broader security of NHS systems were thus invalidated, the incident does show how a seemingly harmless typo can eventually become a software security threat. Developers can minimize the likelihood of such incidents by using static analysis software to review their code before it is released. With automated checks in place, it's possible to catch minor errors before they spawn major problems.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.