What is an Open Redirect vulnerability, why is it dangerous and how can you stay safe?

A magnifying glass viewing an HTML link
(Image credit: Shutterstock)

If you've spent more than five minutes online then you'll know web links can be dangerous, especially in unexpected emails, texts or your social media feeds. That's why you'll take a moment to check they're pointing to the right site, before you click. But you could still be missing a key detail which leaves you exposed to an attacker.

Suppose you got an email from somebody claiming to be one of the best VPN companies - let's call it ReallyGreatVPN - saying you'd won a free lifetime subscription. Sounds unlikely, but you hover your mouse over the link, and see it points to the genuine ReallyGreatVPN.com. Still sounds too good to be true, but as the link takes you to a trustworthy site, it must be safe to click. Right?

Wrong. Just because a link points you to a known domain, that doesn't mean you'll end up at that site. Many top websites can be exploited to redirect visitors from a safe-looking URL, to a malicious site under the attacker's control. And it's way, way easier than you might expect.

Open Redirect vulnerability

Websites regularly point their visitors to other URLs. They'll often link directly, but some have a central redirect method. In HTML terms, it might generate a link which looks like https://reallygreatvpn.com/redirect?goto=https://the-best-vpn-on-earth.com

This is handy for the site, because it enables running some processing tasks after a visitor clicks a link, but before sending them elsewhere. Saving their details, maybe, or keeping affiliate counts.

But there's a problem. If the site doesn't check that the URL following 'goto=' is legitimate, then hackers can easily exploit them. All they have to do is send spam with links pointing to sites they control, like https://reallygreatvpn.com/redirect?goto=https://very-bad-site.com

You see the beginning of the link, it's a familiar and trusted domain, and assume it's safe. In some cases you'll only see a few characters of the URL, so the goto= might not even be visible. You click the link, and it really does go to the legitimate reallygreatvpn.com site. 

Unfortunately, because the target site isn't checking its redirects - an issue known as an Open Redirect vulnerability - it just sends you to whatever domain is specified in the link (even if it's very-bad-site.com.) This might then pretend to be the original site, try to steal your username and password, forcibly download malware or anything else, and all while you think you're entirely safe.

Instagram's app and logo

(Image credit: Instagram)

How common are open redirects?

Open redirects look like such an obvious issue that you'd expect them to be rare, only cropping up in tiny sites run by people who really don't know what they're doing.

Unfortunately, that couldn't be more wrong. Instagram had an open redirect revealed at the end of 2020. Google has multiple vulnerabilities active right now, though partly protected with a warning (a page appears telling you you're being redirected and naming the URL). And that's just the start.

Finding open redirects can be as easy as running a few carefully crafted Google searches. We gave this a try, and found 25+ active examples from all across the web.

The list included some big names, including media giant Thompson Reuters and a UK Times Newspaper site. We found issues in sports sites, from US Minor League Baseball to the UK's Trafford Athletic Club. And there were plenty of others in sites you'd expect to be safe: US Chambers of Commerce, New Zealand's Institute of Surveyors and assorted government-sponsored sites.

This isn't an issue restricted to sites managed by clueless newbies, then - even the internet giants can be vulnerable.

Taking open redirects seriously

Open redirects can be tricky to spot, which is one reason there are so many around. But the real problem is many companies just don't take them seriously.

For example, Google's Bug Hunter site invites attackers to report bugs and perhaps get paid for the best, but it doesn't treat the open redirect and phishing problem (opens in new tab) as significant. Tell the company about an open redirect which is only phishing-related, and it won't even file an official bug report.

We tested this ourselves, reporting the open redirects we'd uncovered to the relevant companies and asking for comments. Most didn't reply, and five months later, half of the redirects were still open.

This isn't the case everywhere. Instagram's open redirect was reported in November 2020 (opens in new tab) , and fixed by January 2021, with the finder awarded a $500 bounty. But with so many companies not taking the issue seriously, it's important that users take steps to protect themselves.

Blocking a junk email in Microsoft Outlook

(Image credit: Microsoft)

Protect yourself from open redirects

The first step in avoiding open redirects is to make sure you can see any entire link URL before you click. If you can only see the domain, or if the link is so long that you only see some characters ('https://www.reallygreatvpn.com/wp-content/bb-plugins/more-extensions...'), or there are so many escape characters that it's unreadable ('%3A%2F%2F'), then you might be at risk from an open redirect.

Click a link to an open redirect and sometimes the legitimate website displays its own page, even a 'redirecting to...' alert, before sending you off to the malicious domain. If something odd happens, a message appears and disappears before you've time to read it, don't just dismiss that and hurry on with whatever you're trying to do. Take it as a warning, and pay closer attention to what's going on.

When you reach the target site, make sure you check the URL in the address bar. Sometimes this might change for legitimate reasons, but if the final URL looks like it's just trying to be approximately like the first - replacing letters with similar-looking numbers, adding dashes or similar tricks - then that looks suspect.

Keep in mind the other tricks commonly used by spammers, too: typically, offering something amazing, or warning you about some huge problem, all to create that sense of urgency which persuades you to click first, think later (or not at all.)

If all else fails, just avoid clicking on any email or other unexpected links, and open your browser and go to the site manually. It'll take a few seconds longer, but you'll be safe from open redirects and a host of other phishing tricks and schemes.

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.