The 'contact' section on the website is an open door for hackers

According to security consulting firm SecureTest (UK), the "contact us" feature, which helps outsiders send information to web site operators, is unsafe and makes it easy for hackers to attack denial of service (DDoS) on the computer. mail manager.

The severity of these attacks is not the same because it depends on where the company is hosting the server. If they hire a host at another service provider, the risk is lower than self-hosting.

Contact form on QuanTriMang

In the case of a company setting the server itself for its website, the server is usually located in the DMZ (configuring a firewall for the LAN) between the internal and external firewalls. The "contact" form merely creates an e-mail on demand and sends its content to the internal server to forward it to an address on the LAN.

Often, mail filtering systems treat the web server as an internal mail management client. If the attack is intentional, the hacker will send a large amount of e-mail containing malicious code, causing the server to be paralyzed. Writing code to change the content of messages or attacking computer networks linked from fake IP addresses makes the situation more serious. If the site also set an auto-reply mode (for both correct and incorrect addresses - usually a hacker address), the server will easily be "flooded" in the e-mail to report the results (do not send OK).

Ken Munro, Director of SecureTest, said many organizations are not interested in this vulnerability. There are many ways to fend off the type of DDoS attack through the "contact" section, such as asking the sender to enter a few words from a certain image that the computer cannot read (the same way Yahoo requires when users create mailboxes). ).