UPDATE: This was originally posted in June 2006. As of February 2007, Amazon, MSN, and Google have closed these security holes. However, as of February 2008 AOL is still vulnerable. If you run a large web application, please use the information below to make your redirects safe from phishing attacks.
One of the comments in the article mentioned that the technique is tricky to get right, otherwise you would have a security hole. Basically, a scam artist could send you a link to an evil site, but it would look like a legitimate link. You would click on it, and give your username, password, or credit card thinking it was legitimate.
These kinds of scammers are called phishers, and their techniques are highly successful.
Anyway, after that post I decided to look around the internet to see if any big sites were using this redirect trick. If so, then they would have to do it in the right way, otherwise it would be a security hole.
Guess what? Amazon, MSN, and Google all have this security hole.
My first stop was amazon.com. They added this new wiki feature so that the public could create a wiki for each book. The problem with open contribution on wikis is that if you make a link from Amazon.com to your site, then your site's Google rank will greatly increase. This may be legitimate, but too often it leads to spam-blogs, as mentioned before.
So, to prevent spam-blogs, Amazon uses a redirect trick. However, they did not do it correctly. Look at the link below. Where do you think it goes? It looks like Amazon.com, but its actually a link to my home page.
So what's the big deal? Well, lets say I set up a site that looked exactly the same as Amazon. Also assume I sent out a bunch of emails containing the evil link. I say in the email that somebody just ordered $10,000 worth of electronics from Amazon with your account. For your protection, we flagged it as a possible identity theft scam. Would you please log into our site, and re-provide your credit card number for verification?
hmmm... would you be able to tell that this email was a scam? The URL goes to Amazon, and I don't want somebody charging $10,000 on my card... Yes oh yes please let me log in to your evil site and give you my information!
Amazon is not alone... check out MSN:
Or this MSN link:
Or even Google:
Both Yahoo and EBay seem to do it right, or at least I wasn't able to discover how to redirect in under ten minutes of Google hacking...
Yahoo appears to use unique internal IDs instead of full URLs. That means that you cannot simply create a URL and use Yahoo to redirect to it. Your URL has to be registered somehow in their internal system, and then you can redirect to it according to its ID. Less flexible, but that's security for ya!
In the past, phishers would go so far as to hack into web sites, then send out emails directing people to phony pages on legitimate sites. A few years back EBay Germany was hacked like this. The hackers did not bother to try to directly attack EBay's user repository; rather they added a few pages to one of the web sites, and tricked people into logging in through their page instead.
In other words, EBay could have had the most secure data repository in the world, but it didn't matter. All the phishers had to do was trick people into thinking the secure EBay login was somewhere else... and they got all the data they needed.
With these kinds of open redirects -- or phishing holes -- laying about, the job is even easier for the phishers. Now they don't have to bother hacking into a site at all! They can simply locate an open redirect, and send out a URL like the ones above.
If you want it to be less abrupt for the users, you should implement something like what Yahoo does: use internal IDs for each URL, and have some kind of secure process for adding a link to the list of valid redirects.
7-18-06 Update: Amazon appears to have added a security token to their redirect page, so it is less hackable. They have added a 20-digit hexidecimal token to their redirect URLs. Now the only question is how long is that token valid? An evil hacker can still put an evil link in a comment on an obscure book's web page. That will allow him to generate the secure token.
Then the only hope is that the token will expire within a few hours, or that Amazon is monitoring how people use these redirects.
11-28-06 Update: The redirect links to MSN also appear to be fixed, which now just leaves the Google redirect hole. Hopefully they will follow in the footsteps of MSN and Amazon and add some security to their redirects.
2-16-07 Update: Google has finally closed their security hole by adding a simple redirect warning page... but countless more remain on the internet.