Open redirectors

Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place.

Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.

Of course, some improperly designed redirectors can lead to more serious flaws, and we often see it used to trigger the following vulnerabilities:

  • Content Security Policy bypass
  • Referrer check bypass
  • URL whitelist bypass
  • Angular ng-include bypass
  • Working redirect to javascript: or data: URL

If you notice the above issues, use the found open redirector in the exploit chain and let us know! On its own though, the open redirector will not be accepted for the VRP.