Web testing security, or Does your website help spammers?

Today I was trolling through my Yahoo mails, and noticed that a spam message had made it through to my inbox. I read through my mail, expecting to just delete the spam message when I eventually got to it. When I did, it struck me as unusual. In addition to the message body, there was the usual link. But it looked like this:

http://www.google.com/search?hl=en&q=inurl:ma…….ls&btnI=I=Im+Feeling+Lucky

I was surprised. It was a link to a Google search. I hovered over the link, and it wasn’t just a clever ploy to make me think I was going to Google. It was actually a spammer exploiting Google’s functionality to redirect someone unwittingly to the spam site.

If you want to see this in action (the link above won’t work), you can try this:

http://www.google.com/search?hl=en&q=inurl:quinert.com&btnI=I=Im+Feeling+Lucky

Now, you can probably filter this just by looking for the “Im+Feeling+Lucky” keyword, as the odds of anyone sending you a legitimate URL containing this are highly unlikely. But it does point to an interesting kind of exploit that we might need to be aware of when we’re developing websites. More generally, when we are testing a web-based product, when we think about security risks, we also need to think about how our website might help spammers.

The most common function of this type that leaps to mind are ‘Email to a friend’ type functions, where using tools like WebScarab, or hand-crafting your own html page, websites can be made to send anonymous or faked emails to anyone you like.

What others can you think of?