The following "Google redirection url" vulnerability has been disclosed on Full-Disclosure mailing list recently:
!Note, working clickable example included! http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065222.html
From the report: "Here is the link: http://www.google.com/url?q= http ://whmt.blogspot.com/&sa=D&sntz=1&usg=1' This link will redirect you on my blog(http://whmt.blogspot.com/). (It's safe)"
[URL modified to make it safe, J-M] |
And the original report by White Hat Mac Team (WHMT) is located at http://whmt.blogspot.com/2007/08/redirection-google-attention-un-lien.html
including working URL as well. |
Why is this bad??
Google uses a redirection URL that says Redirecting you to.... when you click on the link. |
I agree, this is not very bad issue. And the report of White Hat Mac Team is not very professional... |
>>I agree, this is not very bad issue. Negative. If you think this (http://blogoscoped.com/archive/2007-08-07-n14.html) is bad, the URL redirect is worse. |
Yeah, when you see the text 'Redirecting you to SOMETHING' it's too late. |
You're right, i didn't do it very professionnaly. The flaw work well on Safari (Apple browser), but if you use it with Firefox or Opera, you will be noticed of: "Redirecting to..." However, it disappear very quickly. So, there is a flaw than can be used for phishing against an user of google services. I have made an example:
http:// www.google.com/url? q=http%3A%2F%2Fmapage.noos.fr%2Fdacou%2Flogin.html& sa=D&sntz=1&usg=1'
This will cloack the real url login page, which is usefull for phishing. Sorry if my "advisory" is not very professionnal, it's the fisrt time i post on a security list. Cheers. Clement-WHMT-
[URL broken to prevent accidental clicks – Tony] |
This is a non-issue in my opinion. Google has made this page to alert people to the fact that they are been taken to another website, that is _its_ purpose (ie. to display a message: redirecting you to example.com).
Google could take the approach that Yahoo! has been forced to take and create a white list of every page/domain approved to use the redirect, but that would be a massive waste of time (see Yahoo!'s message: http://p1.rd.scd.yahoo.com/*http://google.com/)
|
Here is the url with usg not corrupted. The redirection cant happen if you dont click on the link: http://www.google.com/url?q=http://blogoscoped.com/forum/&sntz=1&usg=AFQjCNHmckAiPEFtmcDVFrzx7Gf5hL7rQg With usg=1' , it wont happen. So, even if there is "Redirecting to ...", i think there is a flaw, because you avoid google security page. |