What exactly are open redirects? They are a special type of web redirect that uses an unvalidated link, sometimes submitted by the user. Normally, a redirect will take the user to a specific destination that is fully defined on the server.
For example: a safe redirect is one that takes the user from URL A to URL B while remaining on the same server.
Open redirects, on the other hand, are either defined by a variable or redirect depending on the user input.
In a tweet, John Mueller recommended that open redirects not be used on a website:
“We generally recommend not keeping open redirects. For example, if someone were to redirect to malware or phishing content through your site, then the URLs on your site would lead there, and could be flagged.”
Please see this link to the tweet for more details.
Why are open redirects so terrible? For one thing, they are dangerous because hackers can use them for phishing attacks. They also increase the possibility of negative results when it comes to search performance.
Open Redirects Can Be Manipulated by Attackers
These types of redirects can be manipulated by attackers. One example of an attack is when hackers use an open redirect on your site to link to a fake page where personal data can be grabbed from the user.
Another example is redirecting to malware pages. If someone does this, then your site’s URL is likely to be flagged.
When a URL is flagged, it is labeled as malware. This labelling will discourage new users from visiting yoursite and it can damage your site’s reputation.
Another problem with open redirects is in regards to crawling and indexing.
The danger of open redirects is that they can create many different kinds of redirects. This can result in a dangerous number of URLs that Google then has to crawl.
When this type of URL growth occurs, the technical issue is usually referred to as index bloat.
This is when Google’s index has more URLs than the website physically has.
Ironically, Google Has Been Caught Using Open Redirects Before
What’s interesting is that this happened in 2020, as NakedSecurity.Sophos.com reported:
“Yesterday morning I got a Skype message from an ex-colleague, somebody I’d not heard from in some time but was happy to reconnect with.
I say “message”, it wasn’t much of one, it was just a link. Out of the blue.
It was clearly a phish, but it caught my eye because it didn’t link to some obviously scummy or incongruous URL. It was a link to Google, and that got me wondering, how does that work?
I’ve blurred some of the URL, but the important thing is that it it looks like this:
https://www.google.com/url?sa=t&url=[redacted]&usg=[redacted] I wasn’t interested in where the link would lead me (for the record, it redirects to a punycode encoded URL that redirects to a malicious site), but I was interested to see how a Google URL was being used to get me there.
It reminded me of a very similar Skype message I’d received a few years ago, one that abused an open redirect in Google Maps, and I wondered if there was another.
Over the years, scammers have realised that keeping things simple works for them, and the simplest message of all is like this one – nothing more than a malicious link. Of course, if all they have is a link they don’t want one that’s going to put you off.
And that’s a problem, because their domains often are off-putting. Malicious websites are destined to be block listed and don’t have a very long shelf life, so there’s no mileage for them in trustworthy-looking dot coms. Instead, they often hack into legitimate websites and use those, either to host their content or to act as intermediaries.
The resulting collection of compromised dentistry blogs and mom-and-pop travel company website domains are incongruous and not widely known.
The crooks need a way to dress them up as more trustworthy.”
The author goes on to explain that hackers use this exploit in order to lead people from trustworthy domains (such as Google) to websites they would otherwise not click on.
This is why open redirects are so dangerous and why using them can cost you search performance.
If you want to learn more about the finer technical details of open redirects, we strongly recommend investing a bit of time into reading the article linked above.
That’s OK. Can’t We Just Limit Crawling of These Redirects?
No. In another tweet, Gary Illyes wrote that the solution is actually not to limit the Googlebot crawl rate, but you want to fix that open redirect.
“If you have an open redirector on your site and googlebot is having a field day with it, the solution is not to limit googlebot crawl rate or fix something in googlebot, but to plug that open redirector.”
In other words, don’t assume that simple tricks, like restricting Googlebot, will help in any significant way.
It’s always better to fix a problem than use temporary solutions and band-aids. Get rid of that open redirect and you won’t have to worry about crawling.
Featured Image: Shutterstock / Apr 2021