A redirect is a way to take a web surfer to another site. Redirection is very useful when done right. Instead of getting an error message that the page cannot be found you can be redirected to a page that helps you find what you are looking for. At ESET we use redirects properly. If you go to http://www.esetonlinescanner.com/ it will redirect you to our online scanner at http://www.eset.eu/online-scanner. This is very useful as it means we don’t have to have a separate web site for each URL.
Where redirects get ugly is when they are “open”. A web site should not allow you to use it to redirect someone to another location.
For example, if you type in or click on http://www.eset.com/redirect?url=http://www.example.com/ you will get a page not found error. The reason is that ESET does not have an open redirect. Friend of mine, Jason Geffner, who is a security researcher found that Linked in is running an open redirect. As of this writing, if you type in http://www.linkedin.com/redirect?url=http://www.eset.com/ it will take you to www.eset.com and this should not be allowed. The reason is that this technique is used by the bad guys to facilitate phishing attacks and trick people into installing malicious software. Redirects can appear in links that appear harmless as well.
You would expect this to take you to www.google.com, but what you see is only a label. The actual link is www.linkedin.com/redirect?url=http://www.nasdaq.com/.
By appearing to go to a legitimate site the bad guys can abuse an open redirect to trick people into going to sites they did not intend to. Be sure to look at the URL (web address) anytime you go to a web site to make sure it is really the web site you intended to go to.
The web site should not be configured like this by Linked In or any site. Open redirects are a bad practice. I hope this example doesn’t work much longer.
Randy Abrams
Director of Technical Education
