An open redirection can be used by spammers to take advantage of site visitors without actually invading the sites themselves.
Abusing open redirect URLs is a method by which virtual villains can go about getting the traffic and visitors of a popular site to their spam URLs without using any spam URLs or malware to do so.
Like with phishing expeditions, it involves deception of novice or non-tech-savvy users who don't know better (or even tech-savvy ones who should know better but aren't careful with their actions) into being redirected to places they didn't intend to go using open redirect URLs from actual popular websites and whatnot.
Webmasters regularly make use of redirects in order to helpfully put users in the right direction in case the page they're looking for doesn't exist, has been deleted, or the site by which the page belongs to have moved to a different server (thus necessitating an update in bookmarks).
Alas, there are vulnerability-filled open redirect URLs that are open to any destination that can be manipulated and abused by hackers with the right knowledge in exploit coding or scripts.
This is a particularly troublesome, tedious, and time-consuming-to-fix kind of hacker abuse because it exploits site functionality instead of dealing with a mere security flaw or bug that can be patched.
An open redirection is a vulnerability in the sense that it can be used by spammers to trick search engines, searchers, and email users into following links which seem to be pointing to the new destination of your site, but are actually leading them into a spam-filled wasteland of a virtual trap.
Your domain can be used as their landing page of sorts in order to trick and gather as much traffic as possible (and, weirdly enough, bringing huge amounts of traffic is a commodity that's sought after in the Information Superhighway, even though some of that traffic is acquired through less than ethical means).
Google does its best in scrubbing out URL redirect abuse, thankfully.
Sure, there are times when false-positives occur and Google Penguin has been getting quite a lot of flak when it comes to the amount of legitimate websites it has flagged as spam.
Nevertheless, it's all for the safety of the end user in the end, and when push comes to shove, people would rather have a few false-positives here and there instead of having to deal with their machines getting invaded by a nasty cocktail of viruses, Trojans, botnets, worms, and other self-replicating and propagating malware used by greedy spammers and hackers who want to get paid by the bandwidth when it comes to traffic delivery.
➤ Related Pages