loader image

Open redirect attacks: what are they and how to avoid them

Oct 25, 2022 | News

Imagine receiving a promotional email from a business you trust, sending you a “one-time-only” offer for being a customer. Because the offer sounds too good to be true, you suspect that something might be “phishy,” which is why you hover your cursor over the link to check its legitimacy. Everything looks okay, so you click on the link. But what if the link points to the trusted website and then redirects you to a malicious webpage or application controlled by scammers? That’s exactly what open redirect vulnerabilities can do.

How Do These Open Redirects Work?

Internet browsers, websites and applications have in-built functionality that allows redirecting a user from one URL to another. This can be particularly helpful in a number of use cases. For example, redirects are used when a shopping cart checkout page redirects buyers to a third-party payment provider.

How Can Redirects Be Exploited?

Phishing is all about winning the trust of victims and making scams believable. URL redirection is basically an additional layer of sophistication that boosts the credibility of a fake website or login page. If the sender’s email account is spoofed, even security-savvy users can be fooled into thinking they’re clicking on a legitimate email from a legitimate source—unless they examine the URL carefully.

Redirects can be hard to spot if the victim is using a mobile phone. This is because mobile devices will only show the domain of the site being visited but not display other parameters, including redirections. A malicious redirect, in its simplest form will look something like this.

Per recent INKY research results, threat actors sent nearly 7,000 phishing emails that exploited open redirect vulnerabilities in American Express and Snapchat websites from May 2022 through July 2022. OAuth flaws can also be exploited using open redirects. OAuth is the popular, de facto standard for authentication when users want to log in or create a new account using their Facebook, Twitter, LinkedIn, Google or GitHub account credentials. Researchers discovered that by modifying OAuth parameters in valid authorization flows, attackers could trigger a redirect of the victim to an attacker-supplied site or redirect URLs in a registered malicious OAuth app. In consent phishing attacks, open redirects can be exploited for account takeovers.

How Organizations Can Mitigate Risks Related To Open Redirects

Although there isn’t any fool-proof mechanism to prevent open redirect attacks from happening, there are a few things organizations can do to reduce the probability of an attack.

  1. Teach users to recognize redirects. At its core, an open redirect is a phishing attack that leverages weaknesses in everyday behaviors (e.g., judgment errors, trust, biases and carelessness). Organizations must therefore conduct security awareness training and real-world simulation exercises regularly to teach employees to recognize social engineering red flags. For example, train users to examine URLs in detail before they click on emails or enter their credentials.According to INKY’s vice president of security strategy, Roger Kay, they should watch for stringssuch as url=, redirect=, external-link and proxy, as well as check to see if there are multiple instances of “http” in the URL. All these may be associated with a redirect. If the browser or the webpage notifies the user that the URL is redirecting them, they should take caution before proceeding to the site.
  2. Implement robust security controls. Sophisticated and targeted attacks might evade the most sophisticated security controls. That said, some AI email security tools can probably recognize sophisticated phishing emails and filter them out. Remember to patch your software regularly to avoid hackers from exploiting any legacy vulnerabilities. Deploy phishing-resistantmultifactor authentication, which can act as a secondary layer of defense in case credentials are stolen. Use a web application firewall, as it can also act as the first line of defense against open redirect attacks.
  3. Avoid implementing redirects in your own architecture. If you own a website, Kay suggests that you disallow URL redirects. Refrain from allowing URLs as an input value in your website. Use third-party experts to test your web application code and API to find any open redirect vulnerabilities. Present users with an external redirection notification that requires them to click before redirecting them to external sites. Although redirects may not directly result in a cyberattack against your organization, they can certainly be a cause of loss in customer trust and reputation to the business.

Studies show that users rather than technology pose the greatest risk to cybersecurity. No matter how mature security technology becomes, cybercriminals will exploit human behavior to bypass these controls. Organizations must therefore emphasize not only security awareness but also promote secure behavior and culture. If employees take cybersecurity seriously, it will go a long way toward making the organization resilient to all kinds of social engineering scams.

Source: www.forbes.com