Category: Uncategorized

In one of his recent diaries, Johannes discussed how open redirects are actively being sought out by threat actors[1], which made me wonder about how commonly these mechanisms are actually misused…

Although open redirect is not generally considered a high-impact vulnerability on its own, it can have multiple negative implications. Johannes already covered one in connection with OAuth flows, but another important (mis)use case for them is phishing.

The reason is quite straightforward – links pointing to legitimate domains (such as google.com) included in phishing messages may appear benign to recipients and can also evade simpler e-mail scanners and other detection mechanisms.

Even though open redirect has not been listed in OWASP Top 10 for quite some time, it is clear that attackers have never stopped looking for it or using it. If I look at traffic on almost any one of my own domains, hardly a month goes by when I don’t see attempts to identify potentially vulnerable endpoints, such as:

/out.php?link=https://domain.tld/

While these attempts are not particularly frequent, they are generally consistent.

We also continue to see open redirect used in phishing campaigns. Last year, I wrote about a campaign using a “half-open” (i.e., easily abusable) redirect mechanism on Google [2], and similar cases still seem to appear regularly.

But how regular are they, actually?

To find out, I reviewed phishing e-mails collected through my own filters and spam traps, as well as samples sent to us here at the ISC (either by our professional colleagues, or by threat actors themselves), over the first quarter of this year. Although the total sample only consisted of slightly more than 350 individual messages (and is therefore far from statistically representative), it still provided quite interesting results.

Redirect-based phishing accounted for a little over 21 % of all analyzed messages sent out over the first 3 months of 2026 – specifically for 32 % in January, 18 % in February and 16.5 % in March.

It should be noted that if a message contained multiple malicious links and at least one of them used a redirect, the entire message was counted exclusively as a redirect sample, and that not all redirect cases were classic “open redirects”. In fact, the abused redirect mechanisms varied widely.

Some behaved similarly to the aforementioned Google-style “half-open” redirects (see details below), while others were fully open. In some cases, the redirectors were part of tracking or advertising systems, while in others, they were implemented as logout endpoints or similar mechanisms. It should be noted that URL shorteners were also counted as redirectors (although these were not particularly common).

As we mentioned, the Google-style redirects are not fully open. They do require a specific valid token to work, however, since these tokens are typically reusable, have a very long lifetime, and are not tied to any specific context (such as IP address or session), they can be – and are – readily reused in phishing campaigns.

An example of such a phishing message and subsequent redirection can be seen in the following images. Though, to avoid focusing solely on Google, it should be mentioned that similar redirect mechanisms on other platforms (e.g., Bing) are also being abused in the same way.

As we can see, although open redirect is commonly considered more of a nuisance issue than an actual high-risk vulnerability these days, it doesn’t keep malicious actors from misusing it quite heavily… Which means we shouldn’t just ignore it.

At the very least, it is worth ensuring that our own applications do not expose endpoints that can be misused in this way. And where any redirection functionality is strictly required, it should be monitored for abuse and restricted as necessary.

[1] https://isc.sans.edu/diary/Open+Redirects+A+Forgotten+Vulnerability/32742

[2] https://isc.sans.edu/diary/Another+day+another+phishing+campaign+abusing+googlecom+open+redirects/31950

———–

Jan Kopriva

LinkedIn

Nettles Consulting

A European Union law allowing tech companies to scan communications for child sexual abuse materials (CSAM) expired Saturday, but several tech giants have vowed to continue the scanning despite the potential legal risk they now face.

Microsoft, Google, Meta and Snapchat released a statement on Friday saying they “reaffirm their continued commitment to protecting children and preserving privacy, and will continue to take voluntary action” to complete the scans.

The tech giants’ statement linked to a letter signed by 247 child safety organizations decrying lawmakers’ decision to let the law allowing scanning expire.

“Europe risks leaving children across the globe less protected from the most abhorrent harm,” the tech firms’ statement said.

European officials have cautioned that the scanning now violates European Union law. 

“Without a legal basis, companies are no longer allowed to proactively detect child sexual abuse in private communications,” Commission spokesperson Guillaume Mercier said in a statement provided to Politico. Mercier did not immediately respond to a request for comment.

The decision to let the law allowing scanning expire was hotly contested. Critics of the law said the scanning allowed indiscriminate surveillance and represents a huge privacy violation. 

But law enforcement officials, several European commissioners and German Chancellor Friedrich Merz all strongly supported maintaining legal protections for continuing the scans.

Catherine De Bolle, the executive director of Europol, published a statement saying that CSAM has been on the rise and that law enforcement will now be hobbled as they try to combat its spread.

The two sides are dug in and finding a compromise has been elusive. Lawmakers have been negotiating to find a permanent solution since November 2023 but have been unable to agree on terms.

The tech giants have previously expressed alarm about the expiration of the law allowing them to scan.

“Failure to act will reduce the legal clarity that has enabled companies for nearly 20 years to voluntarily detect and report known child sexual abuse material (CSAM) in interpersonal communication services, leaving children across Europe and around the world with fewer protections than they had before,” a March 19 statement from Google, Snapchat, Microsoft, Meta and TikTok said.

Critics have said that the tools used for scanning have led to false accusations of abuse, but the tech companies assert that their tools for detecting CSAM are foolproof. The detection regime involves the use of hash matching that links known CSAM with one of a kind hashes of previously identified material stored in a database.

“The system ensures high-precision detection while adhering to privacy principles,” the tech giants said in the March 19 statement.

Learn more.