The following "Google redirection url" vulnerability has been disclosed on Full-Disclosure mailing list recently:
!Note, working clickable example included!
From the report:
"Here is the link:
google.com/url?q= http ://whmt.blogspot.com/&sa=D&sntz=1&usg=1'
This link will redirect you on my blog(whmt.blogspot.com/).
[URL modified to make it safe, J-M]
And the original report by White Hat Mac Team (WHMT) is located at
including working URL as well.
Why is this bad??
Google uses a redirection URL that says Redirecting you to.... when you click on the link.
I agree, this is not very bad issue.
And the report of White Hat Mac Team is not very professional...
>>I agree, this is not very bad issue.
Negative. If you think this (blogoscoped.com/archive/2007-0 ...) is bad, the URL redirect is worse.
Yeah, when you see the text 'Redirecting you to SOMETHING' it's too late.
You're right, i didn't do it very professionnaly. The flaw work well on Safari (Apple browser), but if you use it with Firefox or Opera, you will be noticed of: "Redirecting to..." However, it disappear very quickly.
So, there is a flaw than can be used for phishing against an user of google services. I have made an example:
This will cloack the real url login page, which is usefull for phishing.
Sorry if my "advisory" is not very professionnal, it's the fisrt time i post on a security list.
[URL broken to prevent accidental clicks – Tony]
This is a non-issue in my opinion. Google has made this page to alert people to the fact that they are been taken to another website, that is _its_ purpose (ie. to display a message: redirecting you to example.com).
Google could take the approach that Yahoo! has been forced to take and create a white list of every page/domain approved to use the redirect, but that would be a massive waste of time (see Yahoo!'s message: p1.rd.scd.yahoo.com/*google.co ...)
Here is the url with usg not corrupted. The redirection cant happen if you dont click on the link: google.com/url?q=blogoscoped.c ...
With usg=1' , it wont happen. So, even if there is "Redirecting to ...", i think there is a flaw, because you avoid google security page.