Why do security researchers consider Open Redirects a vulnerability?

Open Redirects are indeed seen as a vulnerability by some members of the security community.

Most of the time it is because the OWASP Top 10 (v2010/2013) used to include it at the last position ("A10: Unvalidated Redirects and Forwards").

The main argument for this entry is that users could be duped into trusting the link because the tooltip shows a known domain name, and may not notice the change of domain name after the navigation occurs. However, the OWASP description of the issue explains that this is only one way to conduct a phishing attack.
It is not a direct vulnerability of the website, and cannot be abused by an attacker easily, unless another issue is present.

Why doesn't Odoo consider this a vulnerability?

In modern browsers, the address bar is the only reliable content origin indicator available. Browsers put a lot of efforts to provide visible security feedback in the address bar (SSL certificates, etc.) This is why Odoo recommends the use of valid SSL certificates in order to help the user identify changes in the address bar (Odoo Online is running exclusively on HTTPS).

On the other hand, tooltips can be easily forged and must never be trusted as security indicators!

More importantly, any user who could be fooled by a phishing tooltip could also be fooled without using an open redirect link. It is a common technique for attackers to register a similar domain name and send emails with phishing links bringing to the fake website. Eliminating URL redirectors will not block this, so it will not increase much the security of the users. But it would break some features that our users are actively depending on, or make Odoo deployments more complex.

So we don't consider open URL redirect reports as valid security issues, unless they can be chained with other real exploits such as XSS by redirecting to a data: or javascript: URL. If you find a real exploitable scenario with a directly exploitable XSS, please report it. (Note: modern browsers block those unsafe redirects in most cases now)

 

But isn't Odoo wrong? Other people seem to accept this vulnerability!

No, really, we're not alone there ;-)

If you're not convinced by the above, we have other reasons to be comforted in our position:

• Open Redirects have now been dropped from the OWASP Top 10 2017, after feedback from the security community. You can find the OWASP Top 10 2017 here. You can also see the explanation for the removal of issue "A10-Unvalidated Redirects and Forwards" in the release notes (p.4).

• Many application vendors share our policy. For example Google and Yahoo/Verizon don't accept Open Redirects ("Intentional Open Redirects") issues either, for the same reasons.