The bug saw more than 800 web links on the nhs.uk website send visitors to websites showing advertising and malware, all unrelated to the NHS, and was fixed by the NHS Health and Social Care Information Centre (HSCIC) on Monday afternoon.
The group has put the issue down to an “internal coding error” which sent users to a mistyped URL, and was keen to stress that no third-parties were involved.
“We can confirm that this problem has arisen due to an internal coding error and that NHS Choices has not been maliciously attacked,” said a HSCIC spokeswoman on behalf of NHS Choices. The group added that the owner of the mistyped URL most likely took advantage and registered the domain to serve ads and malware to the redirected NHS website visitors.
Reddit user ‘Muzzers' was the first to come across the issue, when he found that an NHS website link had directed him to a different website.
“While attempting to access flu shot information I stumbled upon a page which redirected me to an advertisement. Digging a bit deeper I found hundreds more pages which redirect to either an advertisement or malware-infested page,” Muzzers posted on Reddit.
Cigital principal consultant Paco Hope told SCMagazineUK.com that this is proof that developers must be diligent, not just with their code, but with website links too.
“On the Internet, typos do not go nowhere - they go somewhere. In this case a simple typo pointed innocent users to the domain owned by the hacker who was prepared and just waiting. The lesson for software developers is to be diligent not just with code, but in testing all the links on every web application. Not every typo ends in an innocent "404" error. Some will end with malware shipped to a user.”
“It is important to note that medical records and NHS data are unlikely to be at risk: the threat is to individuals' PCs and contents via a malicious website,” Hope added.
“Interestingly, the first people to be infected could have been software developers who do the web site development. They would have been the first to load up the typo-affected web pages and would have been the first potential recipients of malware.”
At the time of writing, most of the links had been corrected by the NHS HSCIC.