Open Redirect in for Eight Years

2013-10-14 08:10:00 +0000

While digging into some old phishing campaigns, I came across something interesting. It’s nothing earth-shattering, but the sheer length of time this vulnerability has remained viable, even after being identified in the press as actively exploited in the wild, is noteworthy.

You see, nearly eight years after being abused in a phishing campaign, the vulnerability is still present.

It starts with a piece from November 2005 The article discusses a phishing campaign, which purports to be an email from the IRS, but instead takes the victim to a fraudulent site which asks for their Social Security Number, Credit Card Details, and IRS Filing information.

“With there is a great opportunity for criminals by posing as the IRS to get a great deal of information, including your credit card details and Social Security number.” – Graham Cluley, Sophos

There’s more details available in Sophos’ original report.

For our purpose, the interesting part is that the article gives an example of the vulnerable Open-Redirect

– Example Redirect URL apparently contacted the Department of Labor about the issue back in 2005, and cites an unnamed representative as stating The government is aware of the issue and is working to fix it.”

Surely the government once made aware of an active campaign abusing one of their sites, and promising to fix it, can manage that fix in eight years. Right? Well, let’s see…

Current State

$ curl -v
* About to connect() to port 80 (#0)
*   Trying
* connected
* Connected to ( port 80 (#0)
> GET /govbenefits/externalLink.jhtml?url= HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
> Host:
> Accept: */*
< HTTP/1.1 301 Moved Permanently
< Server: AkamaiGHost
< Content-Length: 0
< Location: http://www.benefits.govgovbenefits/externalLink.jhtml?url=
< Date: Mon, 14 Oct 2013 13:35:45 GMT

Some time has passed since all this was written, and it seems is no more. All visits to the site now redirect with a 301 Moved Permanently response to So to, the vulnerable URL cited by redirects to the newer branding.

Interestingly, the Location header it gives is malformed. Their redirect seems to strip the first / that trails the hostname, so it probably breaks a good number of legitimate links, bookmarks, etc. as well. This effectively means that the redirect will only work for bare requests to without any path or file name following.

If we correct it, by adding the missing slash, we see a much more interesting result.

html Corrected for bad site-wide 301

$ curl
			window.location.href = "";

So here we have a Javascript redirect to Remember, this was publicly reported and associated with a Phishing campaign masquerading as the IRS almost eight years ago!

Open-Redirects aren’t the most severe of vulnerabilities, and abuse doesn’t really damage the vulnerable organization, so it’s not uncommon for them to linger. They are, however, of much more significance when the vulnerable site carries additional trustworthiness in the minds of target victims. The IRS Phishing campaign noted by Sophos in 2005 shows a good example of the impact. It’s a shame that even after being notified of the vulnerability, it appears those responsible for securing government web properties, and the trust the general public places in them, are unwilling or unable to respond.


Hi, I'm Jeff.