Last week we became aware that a few open redirects on a small number of federal, state, and local government domains were being used to create malicious 1.USA.gov URLs. We worked quickly to resolve the problem by removing the affected domains and short URLs.
USA.gov currently offers two URL shortening services, 1.USA.gov and Go.USA.gov, to enable agencies to easily share long links and track clicks to measure use.
1.USA.gov is powered by bitly.com and automatically creates short URLs from .gov and .mil domains. Go.USA.gov is a URL shortening service that’s only open to government employees and shortens .gov, .mil, .si.edu, .fed.us, and .state.xx.us domains. Learn more about these URL shortening services.
We’ve contacted the agency web managers of the domains in question and we’re working with them to correct the vulnerability. We will continue to work closely with bitly.com and monitor the sites until the issue is completely resolved.
If you’re a web manager, this is a good reminder to check your domains and sub-domains for open redirects so they can’t be abused.
Google has a blog post that suggests potential solutions. We’re also willing to help if we can. If you have questions or would like assistance, please e-mail firstname.lastname@example.org.