Open Web Redirects And Phishing Holes

UPDATE: This was originally posted in June 2006. As of February 2007, Amazon, MSN, and Google have closed these security holes. However, as of February 2008 AOL is still vulnerable. If you run a large web application, please use the information below to make your redirects safe from phishing attacks.

Did you ever think that your simple JavaScript redirect page would be a security hole? Well, it is.

In June 2006 I blogged about how to stop sploggers with redirects. It was based on a technique based on JavaScript redirects.

One of the comments in the article mentioned that the technique is tricky to get right, otherwise you would have a security hole. Basically, a scam artist could send you a link to an evil site, but it would look like a legitimate link. You would click on it, and give your username, password, or credit card thinking it was legitimate.

These kinds of scammers are called phishers, and their techniques are highly successful.

Anyway, after that post I decided to look around the internet to see if any big sites were using this redirect trick. If so, then they would have to do it in the right way, otherwise it would be a security hole.

Guess what? Amazon, MSN, and Google all have this security hole.

My first stop was They added this new wiki feature so that the public could create a wiki for each book. The problem with open contribution on wikis is that if you make a link from to your site, then your site's Google rank will greatly increase. This may be legitimate, but too often it leads to spam-blogs, as mentioned before.

So, to prevent spam-blogs, Amazon uses a redirect trick. However, they did not do it correctly. Look at the link below. Where do you think it goes? It looks like, but its actually a link to my home page.

So what's the big deal? Well, lets say I set up a site that looked exactly the same as Amazon. Also assume I sent out a bunch of emails containing the evil link. I say in the email that somebody just ordered $10,000 worth of electronics from Amazon with your account. For your protection, we flagged it as a possible identity theft scam. Would you please log into our site, and re-provide your credit card number for verification?

hmmm... would you be able to tell that this email was a scam? The URL goes to Amazon, and I don't want somebody charging $10,000 on my card... Yes oh yes please let me log in to your evil site and give you my information!

Amazon is not alone... check out MSN:

Or this MSN link:

Or even Google:

Both Yahoo and EBay seem to do it right, or at least I wasn't able to discover how to redirect in under ten minutes of Google hacking...

Yahoo appears to use unique internal IDs instead of full URLs. That means that you cannot simply create a URL and use Yahoo to redirect to it. Your URL has to be registered somehow in their internal system, and then you can redirect to it according to its ID. Less flexible, but that's security for ya!

In the past, phishers would go so far as to hack into web sites, then send out emails directing people to phony pages on legitimate sites. A few years back EBay Germany was hacked like this. The hackers did not bother to try to directly attack EBay's user repository; rather they added a few pages to one of the web sites, and tricked people into logging in through their page instead.

In other words, EBay could have had the most secure data repository in the world, but it didn't matter. All the phishers had to do was trick people into thinking the secure EBay login was somewhere else... and they got all the data they needed.

With these kinds of open redirects -- or phishing holes -- laying about, the job is even easier for the phishers. Now they don't have to bother hacking into a site at all! They can simply locate an open redirect, and send out a URL like the ones above.

On government web sites, people usually get a big giant JavaScript warning whenever they are clicking on a link that takes them outside of the site. That's the easiest way to fix this: configure your redirect page to know when you're about to redirect to another site, and display a warning page. If its a redirect within your site, do it invisibly.

If you want it to be less abrupt for the users, you should implement something like what Yahoo does: use internal IDs for each URL, and have some kind of secure process for adding a link to the list of valid redirects.

7-18-06 Update: Amazon appears to have added a security token to their redirect page, so it is less hackable. They have added a 20-digit hexidecimal token to their redirect URLs. Now the only question is how long is that token valid? An evil hacker can still put an evil link in a comment on an obscure book's web page. That will allow him to generate the secure token.

Then the only hope is that the token will expire within a few hours, or that Amazon is monitoring how people use these redirects.

11-28-06 Update: The redirect links to MSN also appear to be fixed, which now just leaves the Google redirect hole. Hopefully they will follow in the footsteps of MSN and Amazon and add some security to their redirects.

2-16-07 Update: Google has finally closed their security hole by adding a simple redirect warning page... but countless more remain on the internet.


Just an FYI

I did do due dilligence and notify Google, Amazon, and MSN about this security hole before I blogged this post.

I recieved a reply from Amazon, stating they didn't think it was a problem. I have not yet gotten a reply from MSN or Google. In the past week, my blog has had a dozen visits from Amazon employees. They did say they would monitor the situation, and indeed they are...

I understand if MSN decides to ignore this problem; they don't have very many internet services that you pay for. Their loss... because that's where the money is these days: software as a service. Office 12 seems to get this, I wonder why MSN is lagging?

I am greatly concerned with Google that they took no interest in this problem. They just launched a PayPal competitor, and a redirect hole in Google will cause a huge number of problems...

I emailed Google again, let's hope they listen this time.

Web URL redirectors are ok as long as they're done right

I have a redirector on my website, but I protect it with a secret key so an authentication token needs to be sent along with the URL. See here for more details:

Recent comments