Important lesson for coders: Don’t use open redirects!
Let me tell you a story…
At the start of 2002, DoubleClick purchased NetGravity. It was a company that had an enterprise ad server, so it seemed like a natural fit. The product was renamed to “DART Enterprise” and was a product people could buy and install on their own servers. It was really a great product that allowed for a lot of versatility in ad tagging, targeting, and reporting.
Monster.com used DART Enterprise (aka “DE”) instead of DoubleClick’s DART For Publishers (“DFP”…now “DoubleClick for Publishers”) because we liked having control over the servers and for the ridiculous amount of ad targeting the company wanted, it was the only solution available at the time. (Seriously, it was a RIDICULOUS amount. Want to target entry level accountants in Boise, ID that had a bachelors degree and were searching Monster Australia for plumbing jobs in San Francisco? You could.)
We ran DE on a server at ads.monster.com, which was good because anyone who was blocking “doubleclick.net” ads wouldn’t block us.
DE would serve up ads that matched targeting and record an ad impression. If someone clicked the ad, it would record the impression for the ad ID in the link and then redirect the user to where the ad was supposed to point to.
Around 10 years ago, we noticed an issue where some ads were getting thousands of clicks, but the ads themselves weren’t getting impressions. A 600% click-through rate? Something’s wrong.
Upon investigation, we realized that spammers were taking our click-through URLs, changing the destination, and pointing it at their spam sites. By pointing their spam links through ads.monster.com, they were “legitimized” and any anti-spam or anti-phishing software wouldn’t see it as a link to “MaleEnhancementPills.com” and would see it as a legitimate link to Monster.
Finally, around a year later, we got DoubleClick to update DE so that it would only redirect legitimate URLs that matched the ad ID. Spammers could no longer use our ad server (or anyone’s DE ad server) for open redirects.
Flash forward to May 2014. Podtrac is down. Google flagged them as malware. A malware distributor was likely doing the same thing with Podtrac redirects that spammers used to do with DE redirects. Point one of those Podtrac URLs at your malware and then if someone gets flagged it would be them and not your malware site. (Podtrac has since corrected their redirects to prevent this and only allow redirects to valid customer URLs.)
Anyway, the point of this story is to spread the knowledge to others that when you do redirects, you should make sure it’s not possible for anyone to do any sort of open redirect to anything on the Internet. Perhaps if you strip out the destination hostname and then automatically inserted it into the redirect. Whatever you do, you don’t want to stumble into the same trap that others have already fallen victim to.