You've probably heard about the technique of Rick Rolling... its basically the web version of the oh-so-mature "made you look" game. You tell people that a link goes to some interesting info, when if fact the link goes to a YouTube video of Rick Astley singing "Never Gonna Give You Up." It's also lead to the trend of live Rick Rolling, in where you trick somebody to look at the lyrics of the song... like what happened during the 2008 Vice Presidential Debates.
Well, now people are so suspicious of YouTube links, they won't click on them anymore. So the answer is to raise the bar a little. My technique is to use open redirects from legitimate websites to hide links to YouTube!
For example... see the link below to Yelp.com? Where do you think it goes? Cut and paste it into a browser URL to see where it actually goes:
It looks like a link to Yelp.com, which is a restaurant review site... but with a little URL magic, you can force Yelp to annoy people. Naturally, once Yelp catches wind of this, they will shut down the open redirect pretty fast, so you have to keep looking for more. The technique is pretty simple:
- Find a large/important site that links frequently to small/unimportant sites... such sites usually have open redirects.
- Poke around and see if you can spot any URLs that look like they might be redirects... the URLs might have parameters like url=http://example.com, redirect=example.com, or something similar.
- Copy one of these redirect URLs into your address bar
- In the site URL, replace the redirect URL parameter with a Rick Rolling URL -- such as http://www.youtube.com/watch?v=Yu_moia-oVI -- and see if the site redirects to YouTube.
- For advanced Rick-Rolling, you might want to disguise the link to YouTube by URL encoding it. Use the form below to obfuscate a URL parameter:
You may now Rick-Roll with impunity...
Why do these open redirects exist? Simple: to prevent SPAM blogs. This problem was big on Amazon.com, because at first they allowed people to submit links in comments. However, that meant that folks could link back to SPAM sites from Amazon.com. This is bad enough, but when Google noticed that Amazon linked to a site, its page rank and "relevance" would increase... meaning those awful SPAM sites would have a higher rank in Google search results. There were many proposals to combat this problem... but the only one that completely solves it is to do a redirect from Amazon.com itself.
This does help the battle against SPAM, but unless you do it right its a major security hole... people would see a link that goes to Amazon.com, then click on it, but then get hijacked to an evil site. The URLs look completely legit, and they bypass most SPAM/SCAM filters. These are particularly useful for people who use the phishing technique to steal bank account numbers, credit card numbers, and the like. Back in 2006 I found these security holes on Google, Amazon, MSN, and AOL. I alerted them all to the bug; some of them fixed it... however more sites every day make this same error. I'm hoping that broadcasting this technique to Rick Rollers might do some good... that way, Rick Rollers will find these security holes on new sites before hackers, cracker, and phishers do.
Basically, I'm betting that the annoying outnumber the evil... Let's hope I'm right...