Official Google Webmaster Central Blog: Open redirect URLs: Is your site being abused?

Open redirect URLs: Is your site being abused?

Friday, January 30, 2009 at 5:17 PM

No one wants malware or spammy URLs inserted onto their domain, which is why we all try to follow good security practices. But what if there were a way for spammers to take advantage of your site, without ever setting a virtual foot in your server?

There is, by abusing open redirect URLs.

Webmasters face a number of situations where it's helpful to redirect users to another page. Unfortunately, redirects left open to any arbitrary destination can be abused. This is a particularly onerous form of abuse because it takes advantage of your site's functionality rather than exploiting a simple bug or security flaw. Spammers hope to use your domain as a temporary "landing page" to trick email users, searchers and search engines into following links which appear to be pointing to your site, but actually redirect to their spammy site.

We at Google are working hard to keep the abused URLs out of our index, but it's important for you to make sure your site is not being used in this way. Chances are you don't want users finding URLs on your domain that push them to a screen full of unwanted porn, nasty viruses and malware, or phishing attempts. Spammers will generate links to make the redirects appear in search results, and these links tend to come from bad neighborhoods you don't want to be associated with.

This sort of abuse has become relatively common lately so we wanted to get the word out to you and your fellow webmasters. First we'll give some examples of redirects that are actively being abused, then we'll talk about how to find out if your site is being abused and what to do about it.

Redirects being abused by spammers

We have noticed spammers going after a wide range of websites, from large well-known companies to small local government agencies. The list below is a sample of the kinds of redirect we have seen used. These are all perfectly legitimate techniques, but if they're used on your site you should watch out for abuse.

Scripts that redirect users to a file on the server—such as a PDF document—can sometimes be vulnerable. If you use a content management system (CMS) that allows you to upload files, you might want to make sure the links go straight to the file, rather than going through a redirect. This includes any redirects you might have in the downloads section of your site. Watch out for links like this:

example.com/go.php?url=
example.com/ie/ie40/download/?

Internal site search result pages sometimes have automatic redirect options that could be vulnerable. Look for patterns like this, where users are automatically sent to any page after the "url=" parameter:

example.com/search?q=user+search+keywords&url=

Systems to track clicks for affiliate programs, ad programs, or site statistics might be open as well. Some example URLs include:

example.com/coupon.jsp?code=ABCDEF&url=
example.com/cs.html?url=

Proxy sites, though not always technically redirects, are designed to send users through to other sites and therefore can be vulnerable to this abuse. This includes those used by schools and libraries. For example:

proxy.example.com/?url=

In some cases, login pages will redirect users back to the page they were trying to access. Look out for URL parameters like this:

example.com/login?url=

Scripts that put up an interstitial page when users leave a site can be abused. Lots of educational, government, and large corporate web sites do this to let users know that information found on outgoing links isn't under their control. Look for URLs following patterns like this:

example.com/redirect/
example.com/out?
example.com/cgi-bin/redirect.cgi?

Is my site being abused?

Even if none of the patterns above look familiar, your site may have open redirects to keep an eye on. There are a number of ways to see if you are vulnerable, even if you are not a developer yourself.

Check if abused URLs are showing up in Google. Try a site: search on your site to see if anything unfamiliar shows up in Google's results for your site. You can add words to the query that are unlikely to appear in your content, such as commercial terms or adult language. If the query [site:example.com viagra] isn't supposed to return any pages on your site and it does, that could be a problem. You can even automate these searches with Google Alerts.

You can also watch out for strange queries showing up in the Top search queries section of Webmaster Tools. If you have a site dedicated to the genealogy of the landed gentry, a large number of queries for porn, pills, or casinos might be a red flag. On the other hand, if you have a drug info site, you might not expect to see celebrities in your top queries. Keep an eye on the Message Center in Webmaster Tools for any messages from Google.

Check your server logs or web analytics package for unfamiliar URL parameters (like "=http:" or "=//") or spikes in traffic to redirect URLs on your site. You can also check the pages with external links in Webmaster Tools.

Watch out for user complaints about content or malware that you know for sure can not be found on your site. Your users may have seen your domain in the URL before being redirected and assumed they were still on your site.

What you can do

Unfortunately there is no one easy way to make sure that your redirects aren't exploited. An open redirect isn't a bug or a security flaw in and of itself—for some uses they have to be left fairly open. But there are a few things you can do to prevent your redirects from being abused or at least to make them less attractive targets. Some of these aren't trivial; you may need to write some custom code or talk to your vendor about releasing a patch.

Change the redirect code to check the referer, since in most cases everyone coming to your redirect script legitimately should come from your site, not a search engine or elsewhere. You may need to be permissive, since some users' browsers may not report a referer, but if you know a user is coming from an external site you can stop or warn them.

If your script should only ever send users to an internal page or file (for example, on a page with file downloads), you should specifically disallow off-site redirects.

Consider using a whitelist of safe destinations. In this case your code would keep a record of all outgoing links, and then check to make sure the redirect is a legitimate destination before forwarding the user on.

Consider signing your redirects. If your website does have a genuine need to provide URL redirects, you can properly hash the destination URL and then include that cryptographic signature as another parameter when doing the redirect. That allows your own site to do URL redirection without opening your URL redirector to the general public.

If your site is really not using it, just disable or remove the redirect. We have noticed a large number of sites where the only use of the redirect is by spammers—it's probably just a feature left turned on by default.

Use robots.txt to exclude search engines from the redirect scripts on your site. This won't solve the problem completely, as attackers could still use your domain in email spam. Your site will be less attractive to attackers, though, and users won't get tricked via web search results. If your redirect scripts reside in a subfolder with other scripts that don't need to appear in search results, excluding the entire subfolder may even make it harder for spammers to find redirect scripts in the first place.

You can also use Webmaster Tools to remove URLs. Chances are that the spammers have also hacked and abused other sites to generate links to the spammed section of your site. If you see suspicious sites or spammed forums linking in, feel free to report those to us, preferably with the verified spam report form in Webmaster Tools.

Open redirect abuse is a big issue right now but we think that the more webmasters know about it, the harder it will be for the bad guys to take advantage of unwary sites. Please feel free to leave any helpful tips in the comments below or discuss in our Webmaster Help Forum.

Written by Jason Morrison, Search Quality Team

The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

25 comments:

ycc2106 said...: Hum.. I don't know where to write this :
Suddenly ALL SEARCH RESULTS HAVE A MALWARE WARNING
http://img230.imageshack.us/my.php?image=googlewarningsq7.jpg
even google.com
Is this you or me ?
what's going on?; January 31, 2009 7:08 AM
Freyja Shieldmaiden said...: Maleware warnings on every result :( It's affecting me in FL but not my cousin in GA. What's going on?; January 31, 2009 7:11 AM
Maria L said...: Problems with search results, malware warning...THIS IS ALSO AFFECTING MY HUSBAND IN KUWAIT; January 31, 2009 7:17 AM
info said...: I dont know what is going on at google but all search sites are coming up with malware warnings anyone have any ideas; January 31, 2009 7:18 AM
Mariel said...: I am trying to get to sites that I visit often and am being redirected to a page that says it's allll bad...guess I'll be using Yahoo's search engine until you folks get this straightened out!!; January 31, 2009 7:22 AM
Nomad Mongolian said...: every links appeared as a harmful link.
So the reason was related to it in someway?; January 31, 2009 7:33 AM
Matthew said...: Crazy stuff.

I wonder if this article was a precursor to this mornings glitch??; January 31, 2009 7:42 AM
robinrobin said...: they need to add a button to turn it off for people who have malware protection. Or add a Yahoo button.; January 31, 2009 7:49 AM
c0rrupt0 said...: This is nothing. Apparently early this morning some websites with the Google Analytics code embedded were redirected to some Russian spam sites.; January 31, 2009 8:00 AM
ShopDownLite.com said...: I just saw the announcement on the google blog - but no posts here?

I really thought I had spyware on my computer - glad it was just a fluke.

Thanks for the 99.99999999999% uptime :-)

Stef
http://www.ShopDownLite.com; January 31, 2009 12:06 PM
Laurent Van Winckel said...: Thanks for the insight.
You could hold all you url redirects into a database table, together with an id.
Your URL would look something like this: yoursite.com/redirect/out.php?id=42&url=http://someurl.com (or some prettier url with mod rewrite)
Then check if the value of the 'url' parameter corresponds to the url that you saved in the db table for id 42.
The only disadvantage to this is that you have to make a database call... but that's okay.; February 1, 2009 7:50 AM
fotos h said...: me sacaron del index argumentando Dear site owner or webmaster of elcaballopinto.com,

While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/support/webmasters/bin/answer.py?answer=35769&hl=en. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

We detected cloaking on your site and suspect this is the cause. For example at http://www.elcaballopinto.com/ we found:

Lasix And Drooling Augmentation Breast Looking Natural Ovulatietest Clomid Gebruik Research On Treating Proscar Side Effects Colchicine Mexico Coumadin Hearing Loss Allegra Spa Colorado Dura Brite Rims Femara With Ovulation Viagra Cost In Canada Effexor La Famvir Cold Sore Safety Of Short Term Prednisone Use Zithromax And Diarrhea Lisinopril Fatigue Changing From Zocor To Lipitor Infants And Nexium Is Paxil Safe During Pregnancy Coreg Renal Dosing Coumadin Clinic Chicago Colchicine Pricing Topamax Caution Brite Idea Plasa Clock Dosage For Lisinopril Soma Software Program How Is Aleve Created Prednisone Withdrawal And Homeopathy What Is The Cost Of Fosamax Zithromax Dog Propecia Drugs And Skin Cancer Do Celebrities Take Hgh Local Viagra Levaquin Doseage Alergic Reaction To Allegra D Lipitor Foot Spasm Plavix Bare Metal Stent Antifungal Creams For Acne Paxil Glaxosmithkine Risperdal M-tab For Rapid Tranquilization Celexa And Asprin Interactions Side Effects For Allegra D Seroquel Rhabdomyolysis Pamelor More Drug Uses Migraine Headaches Melatonin Does Accutane Help You Loose Weight Cancer Celebrex Prostate Cvs Ibuprofen Product Like Motrin Lamictal Dosage Schedule Radko Revives Shiny Brite Trademark Lamisil By Bayer

For more information about what cloaking is, visit http://www.google.com/support/webmasters/bin/answer.py?answer=66355&hl=en.

In order to preserve the quality of our search engine, pages from elcaballopinto.com are scheduled to be removed temporarily from our search results for at least 30 days.

We would prefer to keep your pages in Google's index. If you wish to be reconsidered, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html. When such changes have been made, please visit https://www.google.com/webmasters/tools/reconsideration?hl=en to learn more and submit your site for reconsideration.

Sincerely, Google Search Quality Team

con quien lo puedo arregalr; February 2, 2009 10:50 AM
TRiG said...: The BBC does something along these lines. They like to know which pages on their site are generating traffic to the rest of the Internet. So en external link from
bbc.co.uk/example/page to the site example.com will actually be go to bbc.co.uk/go/example/page/ext/_auto/-/http://example.com. The go page then redirects you to the external site. But first it checks the browser referrer header. If you're not coming from the BBC you are redirected first to a temporary warning page.

TRiG.; February 5, 2009 3:12 AM
No Pork Pies said...: Quite a few sites use these redirects to give them more insightful analytics.
Is Google going to start running tests on how to prevent these redirects? Cause this could affect lots of sites like the BBC who arent using it for spam purposes.

I've noticed a few blogs that have discussed there redirects no longer passing on link equity to the new landing page so guess Google has already started to do some testing within this area.; February 6, 2009 4:04 AM
Matthew Egypt. said...: thanks for your help..
www.sawwaf.org; February 8, 2009 4:35 PM
yunus said...: thanks.; February 9, 2009 2:43 AM
MONTO said...: any body plz check my site and tell me whats the problem in it ...it is not i ndexed by google, and i am trying very much on that....my blog is [url=http://vintageacousticguitar.ruqqa.com]The Vintage Acoustic Guitar Blog[/url]..plz mail me your precious suggestions to my mail
mohanramus@gmail.com..plz visit my blog; February 9, 2009 12:04 PM
No Pork Pies said...: Monto,

It looks like it is something to do with the Ruqqa domain as i can't find anything indexed for them.
Possibly due to some dodgy tactics by others sharing the domain.

I've just found this - http://www.google.com/support/forum/p/Webmasters/thread?tid=05e5ec4ce6ecdb62&hl=en
which backs that up.

I would say move the domain onto your own hosting and domain name so you don't have to worry about others. It's not expensive and easy to set wordpress up.; February 9, 2009 1:13 PM
casa santo amaro said...: Tanks, for your help; February 11, 2009 9:48 AM
Shailendra Dubey said...: We already faced this problem in past.

Our three sites www.hiflagstaff.com, www.fairfieldinnflagstaff.com & www.flagstafframada.com abused by spammers.

Spammers use our redirect.php file to spam our sites.

For this we have do several implementation,
1)we removed our redirect.php file
2)we block redirect.php from our htaccess file, but we can't get the exact solution.

Then we use Google Webmaster's URL removal tool to remove spammy urls. This helps us lot, now our site's index is 95% spam free.

If body getting this similar type of problem, use Google Webmaster's URL removal tool; February 16, 2009 11:24 PM
MONTO said...: ya you sair right...but i moved my site into blogger..if u can plz visit
http:thevintageacousticguitar.blogspot.com; February 13, 2009 9:37 PM
محمد said...: That's a week now that my blogspot www.marocliberte.blogspot.com is redirected to google.quran.com (under construction)
I sent an email to Network solutions and received a reply telling me I have to contact Google. I sent an email to ggole but did not recive a reply yet.

How can I fix the issue. Is legal that Google redirects my blog.
Thanks; February 17, 2009 5:22 PM
Rotem Amar said...: Hello,

What about 301 hijack?
I see it back again.; March 2, 2009 2:41 AM
InBoxRevenge said...: Excellent advice. It is time for Google to take its own advice. Blogspot is totally corrupted by the worst criminal spammers on the Internet.

98.12% - 314 of 320 active subdomains listed in last 5 days on blogspot.com were used in a redirection to illegal pharmacy sites.

The solution is to remove every blogspot site that has a reference to the unique fingerprint documented at
http://www.tebweb.com/cgi-bin/spm_forum/Blah.pl?b=spam_latest_offenders,m=1208405668
I have not included the fingerprint here for obvious reasons!); November 10, 2009 11:58 AM
Adam said...: Google's Blogspot product has a SERIOUS security breach going on....

There are over 1000 blogspot blogs that are being created automagically, most likely via infected machines/bot programs....

For use in unsolicited spam e-mail.

If Google cares enough, they can find the complete list at http://rss.uribl.com/hosters/blogspot_com.html

There's GOTTA be a fix....all of these blogs are sooo similar; most are simply redirects which use obfuscated redirect code to blind redirect to a spam site, with no way of "reporting" the blog....

Google needs to move towards automation and destruction; rather than rely on the "community" to flag these abundance of splogs, since it's nearly impossible to keep up...; November 19, 2009 8:25 PM