LinkedIn providing open redirect

Lax website setup could be used to trick the unwary.

Popular professional networking system LinkedIn has been allowing free redirects from its website, providing spammers and phishers with a way of providing links which appear to lead to the contact system but instead take victims to malicious or deceptive sites.

The practice of using genuine websites to establish user trust is common among cyber criminals, as shown by a recent example of spams using Google advanced searches to get past spam filters and lend an air of legitimacy to advertising links. The flaw in the design of the LinkedIn site, still active at the time of writing, is much simpler, allowing links to be created leading to the genuine site, which then simply redirects to another site included in the link.

Comment on the practice of allowing open links from ESET's Randy Abrams is here.

08 November 2007

Tags: social engineering, social networking, spam. del.icio.us digg this