Open Redirects: Low vulnerability with potential severe impact

The Open Web Application Security Project, or OWASP for short, included in the OWASP Top 10 2013 the Unvalidated Redirects and Forwards.

According to OWASP, "Unvalidated redirects and forwards are possible when a Web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.".

OWASP Top 10 2013 https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf

According to the OWASP Top 10 2013, this vulnerability has a moderate impact. As I've been involved in investigating phishing email campaigns, and as I see more and more open redirects used as a vehicle for deceiving the end-user, I believe we need to reassess the impact of such vulnerabilities.

Phishing as an evolving threat

The FBI, in the Internet Crime Report 2020, referring to Business Email Compromise (BEC/UEC), states:

In 2020, the IC3 received 19,369 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses of over $1.8 billion. BEC/EAC is a sophisticated scam targeting both businesses and individuals performing transfers of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds

These kinds of attacks are evolving and targeting identity.

At the same time, Proofpoint indicates that

“Ransomware attacks still use email — but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network. The result is a robust and lucrative criminal ecosystem in which different individuals and organizations increasingly specialize to the tune of greater profits for all — except, of course, the victim”

As I've investigated such phishing campaigns, I have seen threat actors actively abusing and exploiting Open Redirects vulnerabilities on popular legitimate Web applications. It appears that this technique tries to take advantage of two potential opportunities to steal credentials:

1. On the one hand, deceive the user by providing a link from a legitimate Web site; that site poses an Open Redirect vulnerability that redirects the user to a suspicious domain, which later downloads infected documents or scripts on the user's workstations.
2. On the other hand, as a vehicle to avoid detection. As email security solutions evolve and rely more on machine learning and artificial intelligence techniques, threat actors find novel ways to avoid detection. Consequently, they exploit Open Redirect vulnerabilities on legitimate Web sites that are used to redirect the user to a suspicious Web site. As the security tools inspect the URLs and those from legitimate Web sites, detection becomes more difficult.

As Initial Access Brokers (IAB) becomes a sophisticated threat for organizations, we, the defenders, need to understand these criminals' avenues and techniques to harvest credentials.

Final Thoughts

Open Redirects might be a low severity vulnerability. However, the impact for an organization could be high when a phishing campaign uses this technique to harvest credentials.

From the defender's standpoint, we need to proactively investigate such phishing techniques and report such vulnerabilities to the respective owners of the application in a responsible fashion.