Security researcher Prakhar Prasad has identified an open-redirect vulnerability in the popular instant messaging platform Meebo.
Open-redirect vulnerabilities can be leveraged by cybercriminals to lure their victims to arbitrary domains. The user believes that he/she is visiting a legitimate, reputable site, when they’re actually seamlessly redirected to a malicious one.
The security hole has been reported to Google, which bought Meebo back in June, but the search giant’s security team told the expert that “the security benefits of a well-implemented and carefully monitored URL redirector tend to outweigh the perceived risks.”
They’ve pointed him to the bug bounty page where they explain why such URL redirection vulnerabilities are not included in their reward program.
“Some members of the security community argue that open redirectors are a security issue,” reads the section on URL redirection.
“The common argument in favor of this view is that some users, when presented with a carefully crafted link, may be duped into thinking that they will be taken to a trusted page - but will be not be attentive enough to examine the contents of the address bar after the redirection takes place.”
It continues, “On the other hand, we recognize that the address bar is the only reliable security indicator in modern browsers; and consequently, we think that any user who could be misled by a URL redirector can also be tricked in other ways, without relying on any particular trusted website to act as a relying party.”
On the other hand, Prakhar Prasad – who claims he’s not interested in the reward – argues that while Google is somewhat right and users should examine the site’s address bar, in practice, things aren’t as they should be.
“My counter question to Google is, how many 'common' internauts do that in general, checking the address bar again and again. I don't even care whether open-redirects should qualify or not for their reward program, but if there is a security issue (of any kind) it should be properly addressed,” the expert told Softpedia in an email.
Update. The researcher has informed us that the vulnerability has been silently addressed.