(Image: Corinne Reichert/ZDNet)

One of AT&T's websites secretly redirected penetration tests to the FBI's Tips portal, putting security researchers participating in the company's bug bounty program at risk of breaking the law, ZDNet has learned.

The secret redirection was found on AT&T's E-rate portal at erate.att.com, used by schools and libraries to get discounts for internet and phone services.

Security researcher Nux, part of the ThugCrowd team, discovered the redirection last week while searching for vulnerabilities in AT&T websites.

Nux wasn't trying to hack AT&T websites but was searching for security flaws, which he could report to the company via its official bug bounty program, and receive a monetary reward.

Instead, the researcher got a nasty surprise when a mundane penetration test triggered an alert in his bug-hunting tools, warning that the target website was attempting to redirect the penetration test to a new URL, which was the FBI's Tips portal.

The redirection happened when Nux used Sqlmap to find SQL vulnerabilities in the AT&T E-rate portal, but also when he used the NoScript browser extension to test if a cross-site scripting (XSS) vulnerability could relay a more complex exploit.

ZDNet was able to independently reproduce both of the redirections.

Penetration tests are procedures where security researchers mimic real-world attacks with the purpose of breaking into a company's network.

There is no distinction between a penetration test and a real-world attack, except the attacker's intentions. A penetration tester will report the vulnerable entry point to a company, so they can patch it, while an attacker would exploit the vulnerability for malicious purposes.

An uninvited pen-test

Security researchers like Nux carry out these penetration tests because companies like AT&T have bug bounty programs through which they invite this type of traffic being aimed at their applications.

The FBI does not have a bug bounty program, nor does it invite such pen-tests.

By redirecting the penetration test to the FBI's Tips portal, AT&T had effectively put researchers in a position where they'd be launching uninvited penetration tests at a US government's website.

"The [pen-test] traffic is 100% legit so it would look like a real attack," Marcus J. Carey, CEO at penetration-testing firm Threatcare, told ZDNet in an online conversation this week.

"These are legit researchers looking for vulnerabilities using standard and custom tools. It's a long shot but there could be a legit exploit reflected through AT&T that compromises the FBI."

AT&T has removed the redirection over the weekend after ZDNet reached out last week. A spokesperson did not return additional requests for comment. The FBI did not want to comment.

"This surely shouldn't be a standard practice," Carey told ZDNet. "I'm confident that the FBI is not cool with attacks being forwarded to their servers."

Misunderstandings happen all the time

This entire situation looks silly and some sort of joke on the part of AT&T's IT staff, rather than something malicious.

However, misunderstandings happen all the time, especially when authorities have to deal with security researchers. There have been numerous cases in the past when legitimate security researchers have been misunderstood and mistreated by law enforcement.

For example, in May 2016, security researcher David Levin was arrested for disclosing vulnerabilities in the US election website. In January 2017, Justin Shafer was raided and detained by the FBI after he reported to a healthcare entity that they were exposing FTP servers with patient data.

In July 2017, a Hungarian teen was arrested for reporting vulnerabilities in Budapest's public transport e-Ticket system. Just this month, two security researchers were arrested in Iowa for breaking into a courthouse as part of a physical penetration test, even if they had all their paperwork authorizing the test.