Responsible Disclosure: An Exam Board Touting Dodgy PDFs
Responsible Disclosure security · 1 comment · 200 words
I hate academic tests. Wouldn't it be great if you could find the official answer papers?
Oh, cool, the OCR Exam Board is hosting answer sheets for all my classes!
What happens if I click it?
Yeach! It redirects users to a scammy ebook service hosted on an external website. Which, I assume, the exam board does not endorse.
Alongside exam books, textbooks, literary classics - there's a bunch of material which probably isn't suitable for school…
If you visit the root of the domain, it seems to have a dodgy Javascript trying to redirect you to what is probably a scam site.
It seems fairly clear to me that this is an abandoned website. Some scammer has hijacked it and is using OCR's good name to launder their reputation.
Time to contact the exam board and let them know the bad news.
Disclosure Timeline
- 2022-06-04 Discovered. No security contact, so sent a brief email to their support address
- 2022-06-07 Tried to make contact on Twitter - got redirected to email.
- 2022-07-13 Asked for an update - but noticed the website had been taken down.
- 2022-07-30 Blog post automatically published
@Edent One day organisations will have actual exit strategies that aren't simply "abandon it"... I hope!
More comments on Mastodon.