They Forgot a Link. I Found a Nightmare.
Broken Link Hijacking in the wild.
It’s a hot summer night. You log in to check your bank account, but something’s wrong. The page looks real, but your password doesn’t work. You try again. Still nothing. 'Must be a bug,' you think, and go to bed. By morning, your account is empty.
It started with a link.
Discovery
On June 17th, I was closing my MeDirect account that I hadn't used in ages. As I was logging in to their website, something caught my eye in the footer – a link to the safety guidelines for banking. Click. Huh that's weird – a dead link. The domain isn't owned by anyone anymore. I wondered: Could I claim the domain?
In a multilingual country such as Belgium, websites often come in 3 languages: Dutch, French and English. This meant there were three separate links to explore in the footer.
Two of the links were dead, a third one was up and running – with a landing page and a price tag of 6.5k USD.
Why was this domain for sale? Could I also buy the other domains?
goedebankrelatie.be and bonnerelationbancaire.be cannot be registered anymore as their domain status is 'quarantined' which is defined as:
Domain names that are deactivated by the registrant (via its registrar) or by the registrar itself (e.g. if you did not pay the invoice for the renewal on time) are not released immediately. They are first put in quarantine for 40 days. - DNS Belgium
Since it had been over 40 days, it’s safe to assume these domains were retired permanently. For some reason safeinternetbanking.be wasn't.
Danger
Anyone could buy this domain. With it, an attacker could create a perfect replica of the bank’s login page. What’s stopping them? Nothing.
This was pure negligence, one misclick and you're giving someone else your credentials. Whilst 2FA might protect you against unauthorised transactions, it wouldn’t stop an attacker from spearphishing a high-net-worth individual. Just one victim could make the scam profitable.
Disclosing
After confirming the domain was for sale, I immediately contacted MeDirect, detailing the potential security risks.
For several weeks I kept getting updates that they were working on it. Finally, on August 5th, I received an email citing they were working on resolving it.
We would like to inform you about the current situation.
We apologize for the delay in processing your request. The relevant department is taking the necessary steps to remove the references from the platform.
We hope this information is sufficient.
As of now, the dead links have been replaced with a direct link to a PDF on Febelfin's official website.
However their communication doesn't tell us at all why it took them so long. I understand that any sort of proper organisation has procedures in place for changing core pages of their website requiring approval from management – but you'd think a potential risk like this would get things streamlined.
Takeaway
While the issue has been resolved, it raises troubling questions:
- How did this slip through routine audits?
- Why did it take seven weeks to fix a few broken links?
- Why are banks still linking to external sites without warnings?
In an age of digital warfare, security should be priority number one. This should also remind us that vulnerabilities often hide in plain sight.
