Vulnerability in Meteotemplate
What is Meteotemplate?
Meteotemplate is a software package, or template, that hundreds of hobbyist weather stations around the world use to create rich and beautiful web pages with weather data.
My weather station sends its data to the internet, since several years with the help of a Raspberry Pi, the Open Source software WeeWx, and the Meteotemplate program.
I recently discovered by analyzing data from the eMariete.com server that I was getting some pretty suspicious traffic. I started researching it and discovered that the problem was with Meteotemplate.
Meteotemplate has an open redirect vulnerability (technically called CWE-601 [URL Redirection to Untrusted Site ('Open Redirect')]) which makes «the bad guys» can use it to commit their misdeeds (mainly attacks phishing, but it is usable for many more types of attack and traffic and link masking).
The CCN-157548 vulnerability
CCN-157548 is the code that is given to this vulnerability in the vulnerability catalogs from the cybersecurity companies.
This vulnerability (of type ‘Open Redirect‘) allows the attacker to build a URL with a certain format which apparently points to a completely normal and legal website but when the user clicks on it, he is redirected to any website the attacker wants.
Take advantage of a vulnerability like this makes phishing attacks much easier, since the name of the server in the manipulated link is identical to the legal sitelegal, which makes the links have a harmless appearance.
The link may contain a parameter so that the web application redirect the request to the specified URL. By modifying that URL, which points to the malicious site, an attacker can successfully make a phishing attack and steal the user's credentials.
The Open Redirect is a bug in the program, which allows attackers to redirect users to malicious websites.
An example of exploit of this vulnerability would be in which the attacker, to impersonate your bank, creates a link like https://yourbank.com/home and when the user clicks on it is redirected to the web page that wants the attacker.
If our website https: //myweb.com/get in is vulnerable, the bad create url like https: //myweb.com/ enter/redirect.php?https://elsitiodelmalo.com so that, when our unsuspecting navigator clicks on the link, believing that he is going to come to our website, actually go to the web bad (who can impersonate for ours) and ask the user for data, for example.
How to fix the Meteotemplate vulnerability?
When I discovered the vulnerability on June 8, 2020, I reported it on the Meteotemplate official forum hoping that Jachym, its creator, could fix it but, unfortunately, there was no answer, neither by Jachym nor any other user. It seemed like nobody cared about it.
A month and a half later, August 21, 2020, I insisted again adding more information, which I had discovered, and publishing a list of affected sites, so they would see that there were thousands. There was also no response.
If it has helped me to take more than 20 years working in computer security (in companies such as McAfee, Symantec, Panda Security, Anyware Computer Security and others) is to know that vulnerabilities are important and need to be fixed as soon as possible.
On August 25 I opted for make it public in Meteoclimatic, What is it the largest forum for meteorology fans in Spain, and where many of them use this software. They immediately paid attention and in less than 24 hours, the user jmviper public the redirect.php code, that you can see below, fixing the vulnerability in Meteotemplate.
The impact on SEO
What is SEO?
SEO (Search Engine Optimization) is the science / art of optimize web pages to position them in search engines.
It is about ensuring that when a user searches for something in Google, or any other search engine, the page appears in the results as high as possible.
What you have to keep in mind is that for Google the most important thing is resolve search intent of the users.
But how does Google determine which pages should be put first in the results?
Logically, Google has many things Take into account when deciding which pages to include in search results and which to put first in those results.
Of course one of the most important factors is the content of the pages, in addition to the Page title, but also to know which pages are of real quality and may be liked more by users, it is based on other signs that can be positive or negative how:
Positive signs for Google
They are those that indicate to Google that the page can be interesting, like to users and resolve search intent.
- What other pages link to this? If many other pages link to this one, it may mean that its content is important
- What theme are the pages that link to this one? If the pages that link to this are of the same theme as the question, it is more likely that the contents are relevant to the user
- What prestige do other pages that link to this have? It is not the same as a link to the page Perico el de los palotes (I mean a page without any importance, with little content, to which almost no one links, etc.) to a important newspaper or a page with great authority (especially if it is of the same theme).
Negative signs for Google
Just as Google takes into account these signals, which tell it that a page has that «prestige«, There are other signs that tell you that the page may have a bad, uninteresting, unoriginal content (copied from other sites) and even that their content is dishonest or, outright, illegal.
- Does the page receive links from suspicious sites? If the page receives links from porn sites, illegal sales, sale of illegal products, etc. it is more than possible that Google penalizes this page and that it does not appear in the search results (although its content is completely clean, legal and correct). After all, Google likes that its results are suitable for all audiences (even trying to fulfill the search intention of those who want something else).
- Does the page have frequent syntactic, concordance, or similar spelling errors? This may tell you that your content is of low quality, that it has been automatically generated or translated.
- Is the page updated frequently? Google likes pages that update frequently and have fresh contents, just like most users.
What google sees
If our page is exploitable by a vulnerability of this type, soon many cybercriminals will use it to redirect users to other sites, creating multiple links on many sites, forums, pages of all kinds, advertising, etc. creating links like https: //myweb.com/ enter/redirect.php?https://elsitiodelmalo.com
Keep in mind that cybercriminals, in many cases, use automatic tools to create these links, so it will be normal for our website to receive hundreds or thousands of malicious links in a very short time.
What Google will see is that many sites dedicated to sex, malware, phishing, illegal activities, etc. link to our page, you won't like them «our friends»And you can penalize our page for this by making the page not appear in the search engine results (or at least not in the first positions).
Google Penalty Real Data
In the following table we can see the data of penalty probability by Google, calculated by the tool MOZ, on websites that use Meteotemplate.
I have limited the list to sites that have a higher chance than 50%, there are many more with lower values.
For privacy and security I have removed part of the url.