Yahoo's http server at that time used to take redirect URLs in this format: "http://yahoo/url/*http://exiturl/. They were using these URLs on all search results, I'm guessing to track click-throughs to improve rankings. So I set up a script on our site to load an image using this format with the img src in the exit-url, and for the yahoo-url and we would round robin 'client' links though. Essentially spoofing legitimate search&clicks on yahoo from unique IPs from our site visitors. Over the next two weeks all our sites started bubbling up in the results. This worked for about a month before Yahoo changed something (I'd guess they started validating the http-referrer or the exit-url), and it all stopped working.
But, for that brief window of time when it was working, I was the king of the high fives.
(FWIW, I don't do SEO work of any kind anymore, and I certainly don't advocate 'blackhat seo'.)
Every web app developer should review these vulnerabilities before releasing their code to the world.
We have an open redirect on our site that I've been looking at fixing, but while verifying all the possible links against a whitelist would work, it would be a pain.
This link looks like it's from google.com but it's not.
Incidentally I think this only works if you're currently signed in to a Google account, oh yeah it's bouncing from an HTTPS address as well.
At least that is what my browser says:
Looks like someone found a YouTube exploit.
If a browser sees an encoded URL in the query string, and then gets a location header to go to that URL, and that URL is not on the same domain, it would prompt the user that you are leaving that domain.
I can't see many sites that are legitimate, and use redirection techniques that meet all of my criteria.
http://voice.google.com/?r=google.com/voice, where the resulting URL is inside the query_string
(Can anyone think of downsides to limiting yourself to relative URLs or a whitelist of domains?)
It is very interesting that Youtube has this vulnerability. Almost every time I implement something like this, I double check the domain name. (This is really easy in PHP)
http://news.ycombinator.com/item?id=1259844 for the google.com URL
1 in 5 attempted to sign in. The results are hardly scientific, but the comments are full of users who were fooled.
civilian what's a domain? Is that like a mailing address? the Uwhat? Stop being so technical!
Nothing more, nothing less.
If you want security, start a CA, give each site you like its own SSL cert (signed by you), and enjoy.
Or possibly worse - http://www.youtube.com⁄bad-site.com/something_else
The URL http://www.youtube.com⁄bad-site.com/something_else contains characters that are not valid in the location they are found.
The reason for their presence may be a mistyped URL, but the URL may also be an attempt to trick you into visiting a Web site which you might mistake for a site you trust.
When I hover over the link you gave (or click it and see it in the address bar), it looks like http://www.youtube.xn--combad-site-hx3f.com/something_else (which lets off plenty of flags for me).
It should also be noted that it's not even a 25% benefit for them, but it does help security, even if slightly. I think lowering phishing 1% could be massive for any major bank.
You could use a botnet to do the lookups, but that still makes the attack substantially more difficult.
The answer to this security issue is either:
1) The bit.ly route - store off-site urls your organization wants to link to as a value and give the user an url with just the key in it.
2) Create a secret salted hash of the url and include that with the url in the args. Upon request, the receiver would re-hash the url and compare it to the hash given. Unless someone reverse engineered your hash this system prevents someone casually manipulating a url.
If you have to be afraid of what links you click on you are running the wrong software.
I'm surprised youtube has such a basic problem on their site.
Sure, this makes fishing a little easier, but users need to watch out for themselves. It's a big bad world out there :)
I agree with you in general, but youtube shouldn't be making things harder for security.
Also, despite having "video" in the URL, the text says all you need to know. I don't think very many people around here will have a hard time figuring out how this happened. I don't need a video.
It asks for confirmation when a page tries to redirect unexpectedly like this.