Yes, One can not simply ignore Open Redirect vulnerability. Those who think open-redirect vulnerability is not a critical bug , the recent spam campaign will be the best example for how the low severity bugs can be abused by cybercriminals.
"These issues are not a direct threat to the site itself. Users are targets - sites should protect them, " Security researcher Janne Ahlberg said.
A few days ago we reported spammers exploits the CNN's open redirect vulnerability to spread the diet spam. CNN successfully fixed the bug after we have managed to contact CNN with the help of Mikko Hyppönen.
However, I know fixing the bug in CNN is not going to stop the campaign. There are plenty of top websites are vulnerable to Open-redirect security flaw. So, CyberCriminals always find another open door once we close the door.
Today, We got notified by Janne that attackers are now exploiting the open redirect bug in Ask.com - One of the Top web search engine which has alexa rank 29.
The attackers are using the same tweets content but have managed to change the link.
"I plan to lose atleast 40 pounds with your diet program! hxxx://wzus1.ask.com/r?t=p&d=us&s=a&c=a&l=dir&o=0&sv=0a5c407b&ip=5f19241a&id=94E847AC91F239E2B20A30571533AFB0&q=How+long+did+Mark+Twain+insist+his+life+story+go+unpublished%3F&p=1&qs=3045&ac=254&g=1a39vz0X%y%zxm&en=qotd&io=0&ep=&eo=&b=a001&bc=&br=&tp=171&ec=1&pt=hxxx://tumblrhealth.me&ex=&url=&u=hxxx://tumblrhealth.me …"
Apparently, the vulnerability was reported by a security researcher sony in 2010 to the company , but they failed to fix it.
I have also discovered CNN has one more unfixed open redirect security flaw :
"http://cgi.money.cnn.com/tools/redirect.jsp?url=http://www.google.com"
There are plenty of websites fail to take care of their website security. They don't even have an email address or a contact form to send our bug reports. It is time to create an email address especially for reporting bugs. Eg: Security@ Your-site .com
