What Are Open Redirect Vulnerabilities Explained

Lets get right into it and explain what an Open Redirect Vulnerability is. This vulnerability is when a target visits a website and that website sends their browser to a different URL, most often a different domain. This can be the result of a phishing attack or a stored value. This kind of sneaky redirecting can trick people into believing they’re submitting information on a valid website. But really they just gave their login creds to a malicious actor. That’s what an open redirect vulnerability is. Now in our current day and age it doesn’t sound that scary. And some companies view them as so low that rewards aren’t offered for them in bug bounties. Google being one case of this. OWASP, which is focused on web security removed open redirects from its top 10 way back in 2017.

How Redirects work

Open redirects occur when an application trusts user-controlled input to redirect to another site. Like in the case of a URL parameter, DOM window property, and/or HTML meta refresh tags. Redirects have a very valid use case in the world of websites when used as intended. Redirects are used when moving content to a new URL, when deleting pages or when changing domain names or merging websites. When you have to use them, make sure to follow these best practices: Avoid chained redirects: one redirect should not forward to another redirect. Below is an example of a redirect using the URL parameter.

https://www.google.com/?redirect=https://www.gmail.com

In this example you can see that the domain google is redirecting to the domain gmail. In this case you are getting what the developers where wanting. This same thing can be done with a php header redirect function so that it never gets to the chance to be manipulated. But sometimes it isn’t going to be a permanent redirection or the developers don’t have access to redirect something from the backend side. That is why javascript and HTML meta tags are used for redirects as well. Here are a couple of examples of what they look like.

JavaScript:
window.location = https://newurl.com/

HTML meta tag:
<html>
  <head>
    <meta http-equiv="refresh" content="0;URL=https://newurl.com/">
  </head>
</html>

What is so dangerous about Open Redirects

Now that we’ve covered what a redirect and an open redirect are lets get into the damage they’ve caused in the real world. Phishing is a major go to when abusing this vulnerability. Most email security solutions aren’t built to validate is a URL is malicious in real time. What they do is they have a list of bad URLs identified ahead of time. This is what happens to throw away URLs that threat actors use. Now keeping that in mind links created by threat actors have a short life span. But if they find an Open Redirect Vulnerability on a trusted website they can leverage the link longer.

Google’s DoubleClick

Google DoubleClick is the advertising technology that provides deep analytics and insights for marketers to more effectively advertise based on the behavior of users. DoubleClick has been known to maintain this security vulnerability dating back to 2008, following the acquisition by Google. Since then, the open redirect and the vulnerabilities this type of access poses has not been addressed. Even in 2014, a known malvertising campaign was identified using doubleclick.net.

The structure of the open redirects within the phishing campaigns identified by the GreatHorn Threat Intelligence Team are all similar, whereby the attacker adds in the “advertising URL” (seen as “adurl=”) to redirect the user to the destination site, that appears as a legitimate site, but in fact is malicious. To note, an attacker does not require a DoubleClick account to develop the redirect. Instead, anyone can modify a DoubleClick URL and change the redirect.

http://googleads.g.doubleclick.net/pcs/click?adurl=https%3A%2F%2Ftm74k.codesandbox.io/YnJlbnQucmFnc2RhbGVAY2hpY2stZmlsLWEuY29t&c=R,6,65f05392-f8de-4117-b270-51af0e396896E,&typo=4

Between Q1 2021 and Q2 2021, the use of Google’s DoubleClick platform to send malicious links increased 141%.

Google’s Meet

Google Meet teleconferencing is a highly used and recognized service, commonly used and included in any subscription to Google Workspace. In fact, during the 2020, Google reported over 100 million daily Meet meeting participants. And, because of the widespread use and trust associated with the #1 brand on the market, leveraging the option to apply an open redirect became a commonly used practice by threat actors. Between Q1 2021 and Q2 2021, the use of Google Meet platform to send malicious links increased 57%.

The structure of the open redirects within phishing campaigns are all similar, whereby the attacker adds in a “link redirect” (seen as “linkredirect?”) to tell the browser what destination site the user should go to. Unfortunately, using the domain of “meet.google.com/” appears as a legitimate site, but the destination site found after the “dest=” in the URL parameter is malicious.

https://meet.google.com/linkredirect?authuser=0&dest=https%3A%2F%2Fglowforge.chargebee.com%2Fsubscriptions%2F31441895%2Fdetails

Final thoughts

The difficulty of this attack is as simple as finding the redirecting functionality of a site. And in this day in age almost every site does it. While this type of attack doesn’t have much of an immediate impact on the company itself it can be damaging to the reputation of the company. Not to mention the headaches of getting a valid URL removed from a blacklist of know bad URLs. Besides validating all data before preforming an action (which should be done regardless) giving a simple popup saying the user is leaving the site is a simple warning to protect users.