by Daniel Peck, Research Scientist
Usually relegated to little more than page filler on vulnerability assessment reports, an open URL redirection is a vulnerability that doesn't usually affect the site owner, but can be leveraged to add a sense of false legitimacy to spam and phishing links going through it. This is nothing new in the world of spam, but we haven't seen a lot of it in social network spam until recently. What usually is easy for moderately savvy users to detect becomes much more difficult when shared through a Facebook link, which as we've seen before is trivial for malicious types to create with “likejacking” when an unsuspecting user visits their page.
In this particular case, the spammer is leveraging an open redirect on news.bbc.co.uk, a site that most users would see as trustworthy to redirects to a site that is far from legitimate. It seems to only be being used to push users towards the typical affiliate spam that we often see with social network scams, but similar approaches could be very successful in a more malicious context. While it does not solve the redirection issue, one way to avoid the viral spread of these scams is to log out of social media sites like Facebook when you aren't using them, as then you will be prompted to login if the page tries to post to your account. For savvier users browser add-ons such as ShareMeNot and NoScript can be used to block access to Facebook resources from sites other than Facebook. From a developer perspective, to make sure that your sites aren't being used to add false trust to spam campaigns redirects should be validated, and limited as much as possible through a list of allow-listed URLs that are allowed to be redirected to, or an intermediary page advising the user of the redirection. For more information on the type of vulnerability itself and mitigations check out this great post from Googles Webmaster Central Blog.