One of AT&T's websites secretly redirected penetration tests to the FBI's Tips portal, putting security researchers participating in the company's bug bounty program at risk of breaking the law, ZDNet has learned.
The secret redirection was found on AT&T's E-rate portal at erate.att.com[1], used by schools and libraries to get discounts for internet and phone services.
Security researcher Nux[2], part of the ThugCrowd[3] team, discovered the redirection last week while searching for vulnerabilities in AT&T websites.
Nux wasn't trying to hack AT&T websites but was searching for security flaws, which he could report to the company via its official bug bounty program[4], and receive a monetary reward.
Instead, the researcher got a nasty surprise when a mundane penetration test triggered an alert in his bug-hunting tools, warning that the target website was attempting to redirect the penetration test to a new URL, which was the FBI's Tips portal.
The redirection happened when Nux used Sqlmap to find SQL vulnerabilities in the AT&T E-rate portal, but also when he used the NoScript browser extension to test if a cross-site scripting (XSS) vulnerability could relay a more complex exploit.
ZDNet was able to independently reproduce both of the redirections.
Penetration tests are procedures where security researchers mimic real-world attacks with the purpose of breaking into a company's network.
There is no distinction between a penetration test and a real-world attack, except the attacker's intentions. A penetration tester will report the vulnerable entry point to a company, so they can patch it, while an attacker would exploit the vulnerability for malicious purposes.
An uninvited pen-test
Security researchers like Nux carry out these penetration tests because companies