[tptacek]

I don't know, I think this case is pretty flimsy. In practice, the value of an open redirect against modern applications is for "phishing". But speaking as someone who has dealt with several ATO dramas over the past two years: users will click on anything. They're not hovering over links to make sure they're safe.

Open redirects are worth fixing, but they're a lot more common than I think people expect they are. I think the severity:low the "good" (unconstrained, straightforward links, persistent, across all browsers) ones get is well measured.

I see open redirects as sort of the archetype of the "t-shirt vulnerability" --- the one the bug bounty sends you swag, instead of cash, for finding.

[shittyadmin]

That's quite true, but I think the value in these attacks is that they work against more technical users than typical phishing attacks - I remember several years ago someone posted a link on a large technical subreddit which appeared to be to youtube.com.

It presented a page which claimed to be an age flagged video - at the time youtube was having many problems with age flagging videos - and sure enough many people tried to login to it - they looked at the "(youtube.com)" text on reddit, they looked at their browser when they first clicked the link, but they never noticed when the URL changed to offsite when they had to login. It never struck them that a legitimate youtube link could have sent them offsite.

The solution most of those people arrived was simple though: use password managers which will force some extra suspicion if the login page doesn't behave as expected.

EDIT: Found the link and discussion, https://old.reddit.com/r/programming/comments/bpy7h/think_yo...

By the numbers it looks like about 1/2 the people who made it to the sign in page made it to the submit page. That's a pretty good result especially given that it's a technical subreddit and people were primed with "think you're immune to phishing attacks"...

[chrismorgan]

It is interesting to note that YouTube now inserts an interstitial “you are leaving YouTube” screen on its open redirect spot.

That Reddit shows the domain name next to the link (HN also) is, I think, the key here—it casually set expectations. Most link situations won’t be like that, and so I’m broadly with tptacek, that it’s not actually so useful. Plus, businesses commonly use all sorts of different domains, rather than subdomains, and something like yourbank-security.com instead of yourbank.com may not even raise eyebrows—to say nothing of people probably not even twitching at login.yourbank.com.evil.com anyway.

[Cyphase]

The results could have been skewed by people clicking through intentionally to experience the redirect.

[a1a]

Author here. Thanks for your comment. I think you have a valid point about users clicking anything. However I would only say that's the case if you send around 20 phishing mails. In a targeted attack you want to send one or two phishing mails and you wanna maximize your chances of success to avoid a reaction from the blue team.

I agree that the impact is low compared to other vulnerabilities. It is definitely the case that you get a t-shirt (at best) for it. Though, my point is that they could be critical for the users, not for the website itself. An attacker that don't really care about the vulnerable website can still exploit the trust in the vulnerable website to perform attacks on the user he is interested in (e.g. hash stealing or malicious redirects). In fact, I believe malicious redirects is a really common payload of XSS flaws.

[tptacek]

Right, but a targeted phishing attack against an internal user is just as likely to rely on an application (or a facsimile of an application) you don't control, like a benefits management portal or something that supposedly authenticates through an SSO.

I guess if your argument is that there would be high value in eradicating open redirects wholesale, I sort of see your point. But the incremental value of eliminating one open redirect is marginal at best.

[rocqua]

There is also value in customer trust. If a customer gets burned by a Google.com link, they are going to check next time they see such a link. Google would be better of if customers felt 'oh, it is Google so it must be safe'.

[wtracy]

That might not be an issue for Google, but I could see it being a big problem for a company that relies heavily on projecting a "family friendly" image (think Disney).

[dsfyu404ed]

Back in the day you could change some URL parameters and make it look like Toys R Us was selling firearms on their website because they used the same ecommerce back end as a sporting goods store. Like you'd go to the URL and it would be a hunting rifle (or whatever) but it would be on the Toys R Us site.

I don't think Toys R Us was ever harmed but it was mildly amusing and I'm sure a few people's panties got knotted after they found out Toys R Us doesn't actually sell firearms and they got all enraged over nothing.

[cosmie]

I hadn't heard of this issue specifically, but it sounds like you may be talking about eBay Enterprise[1]. They ran a lot of e-commerce operations for brick and mortar stores at one point, including both Toys R Us and Dick's Sporting Goods.

[1] https://en.wikipedia.org/wiki/EBay_Enterprise

[bjornedstrom]

As a security professional I agree. When I worked at companies with bug bounties I always considered open redirects in the lamest category of bugs, unless the open redirect was cleverly combined with other issues, which was very rare.

[Kalium]

I once worked to patch an open redirect on a system where the redirect was at the end of the oauth flow. Could have been used for some pretty nasty phishing attacks.

[tedunangst]

I suppose there's some potential for SSRF abuse, although it's easy to argue the fault lies elsewhere.

[tptacek]

Right, and also internal CSRF is in fact an underrated vulnerability.

[sb8244]

One other note for open redirects is that it can trick spam filters into thinking it's legit. Some filters follow links but some others do not. So you can use that as a way to improve spam scores maliciously.