How Bad Web Security Makes It Easy To Rick-Roll

You've probably heard about the technique of Rick Rolling... its basically the web version of the oh-so-mature "made you look" game. You tell people that a link goes to some interesting info, when if fact the link goes to a YouTube video of Rick Astley singing "Never Gonna Give You Up." It's also lead to the trend of live Rick Rolling, in where you trick somebody to look at the lyrics of the song... like what happened during the 2008 Vice Presidential Debates.

Well, now people are so suspicious of YouTube links, they won't click on them anymore. So the answer is to raise the bar a little. My technique is to use open redirects from legitimate websites to hide links to YouTube!

For example... see the link below to Yelp.com? Where do you think it goes? Cut and paste it into a browser URL to see where it actually goes:

http://www.yelp.com/redir?storeId=&url=%68%74%74%70%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%59%75%5f%6d%6f%69%61%2d%6f%56%49

It looks like a link to Yelp.com, which is a restaurant review site... but with a little URL magic, you can force Yelp to annoy people. Naturally, once Yelp catches wind of this, they will shut down the open redirect pretty fast, so you have to keep looking for more. The technique is pretty simple:

  • Find a large/important site that links frequently to small/unimportant sites... such sites usually have open redirects.
  • Poke around and see if you can spot any URLs that look like they might be redirects... the URLs might have parameters like url=http://example.com, redirect=example.com, or something similar.
  • Copy one of these redirect URLs into your address bar
  • In the site URL, replace the redirect URL parameter with a Rick Rolling URL -- such as http://www.youtube.com/watch?v=Yu_moia-oVI -- and see if the site redirects to YouTube.
  • For advanced Rick-Rolling, you might want to disguise the link to YouTube by URL encoding it. Use the form below to obfuscate a URL parameter:
Normal Text:
URL Encoded Text:

You may now Rick-Roll with impunity...

Why do these open redirects exist? Simple: to prevent SPAM blogs. This problem was big on Amazon.com, because at first they allowed people to submit links in comments. However, that meant that folks could link back to SPAM sites from Amazon.com. This is bad enough, but when Google noticed that Amazon linked to a site, its page rank and "relevance" would increase... meaning those awful SPAM sites would have a higher rank in Google search results. There were many proposals to combat this problem... but the only one that completely solves it is to do a redirect from Amazon.com itself.

This does help the battle against SPAM, but unless you do it right its a major security hole... people would see a link that goes to Amazon.com, then click on it, but then get hijacked to an evil site. The URLs look completely legit, and they bypass most SPAM/SCAM filters. These are particularly useful for people who use the phishing technique to steal bank account numbers, credit card numbers, and the like. Back in 2006 I found these security holes on Google, Amazon, MSN, and AOL. I alerted them all to the bug; some of them fixed it... however more sites every day make this same error. I'm hoping that broadcasting this technique to Rick Rollers might do some good... that way, Rick Rollers will find these security holes on new sites before hackers, cracker, and phishers do.

Basically, I'm betting that the annoying outnumber the evil... Let's hope I'm right...

why go to all that bother...

I blogged about this the other day (here: http://tinyurl.com/2w4apm).

I'm not touching that url...

I know what you're trying to do :-P

TinyUrl has a nifty "preview" feature, so you can see where a link is going to before it redirects you:

http://tinyurl.com/preview.php

That's pretty much the easiest way to block open redirects...

Old news

Google sums it up here: http://www.google.com/#hl=en&safe=off&q=dQw4w9WgXcQ&aq=f&aqi=&aql=&oq=&fp=1&btnI=3564&cad=b

"I'm Feeling Lucky" is also a security hole...

Although, you can shorted that URL up a bit:

http://www.google.com/#q=dQw4w9WgXcQ&btnI=3564

The trick above is to query Google for the text "dQw4w9WgXcQ", which is the unique identifier used on YouTube for a Rick Rolling video. Also, the parameter "btnI=3564" is the equivalent of the "I'm Feeling Lucky" button on Google. So, the URL above -- tho it looks like a Google search -- will redirect to YouTube.

Personally, I feel that Google's "Im Feeling Lucky" button is a security hole... they need to change up the API so that it needs a unique token in order to do the redirect.

RedirectUrl in UCM 10gr3

Any suggestions on blocking the same issue in UCM 10gr3?

example exploit

http://yourhost/idc/idcplg?IdcService=SAVE_USER_TOPICS&RedirectUrl=//www.bexhuff.com

RedirectHostsFilter

Set that value in the config.cfg to whatever web sites you want to allow redirects to... if it's going to bexhuff.com, then I'd wager you have something like this set:

RedirectHostsFilter=*

You should maybe set it to just:

RedirectHostsFilter=yourhost

Recent comments