Broken Link Hijacking 

You might think of broken links on your website as just a tiresome chore to fix, that you’ll get around to ‘one day’ … but they could become a security risk. 

No doubt your website links to other web pages and other external resources. Maybe a PDF or two; maybe a video. That’s generally seen as useful for your visitors, and therefore good for search engine optimisation (SEO).  

However, if the owner of one of those resources you’ve linked to lets that domain expire—perhaps they got taken over, or went out of business—then your link now goes nowhere. It’s broken. 

That’s a nuisance for a visitor who is interested in that useful resource you linked to, and is potentially brand-damaging. If elements of your website are broken, it reflects badly on your company. Unfairly, perhaps, but it does. 

But there’s more to it than that: if someone with bad intentions then buys that domain name, they could turn it into a malicious site… which you are linking to, and sending visitors to. That site could trick your visitor into giving away sensitive information, or installing malicious software. 

That’s even worse for your reputation, with customers and with the search engines.    

If it had been a link to an image that you had been displaying on your site, that image could be replaced with something offensive, that would definitely damage your reputation, and/or get you in legal trouble. 

And even worse: if that link had been calling a script, an attacker could replace that script with one of their own choosing, that would run every time somebody loaded your website page.  

That could potentially be very bad. The attacker could:  

  • Capture passwords or other sensitive information from your visitors. 
  • Get access to a visitor’s account. 
  • Add content to your site (such as ads—or even more unpleasant things). 
  • Send your visitor somewhere unexpected. 
  • And, they may be able to find vulnerabilities to exploit in your visitor’s browser. 

There are preventative measures you can take, such as: 

  • Hashing the resource, and verifying it—only loading it on your site if it hadn’t changed since the page was published. 
  • Adding a Content-Security-Policy HTTP header to restrict which domains resources could be loaded from—any others would be blocked. This wouldn’t solve the problem of a trusted domain going down, of course… 
  • And, perhaps most importantly, setting up a routine check for broken links (and then fixing them quickly). 

Need some help? Contact us or call the Click and Protect team on 0113 733 6230.