The last few months, when I’m working around with “Open Redirect” vulnerability, I found something interesting that a hacker can bypass confirmation page and redirect the user to the malicious website by using the Google.com domain.
1. My site: https://sangbui.com
2. Redirect to other site by using Google.com domain: https://www.google.com/url?sa=t&url=[URL]
Eg: https://www.google.com/url?sa=t&url=https://sangbui.com
Display: Redirect Notice
So how can I bypass this form and redirect the user to my page without any confirmation message?
3. Bypass the confirmation page: https://www.google.com/url?sa=t&url=[URL]&usg=[Code]*
* See the below video to know how can I get the Code. The full URL will be:
1 |
https://www.google.com/url?sa=t&url=https://sangbui.com&usg=AFQjCNE4X_X-BJ3kgsR7LEceasJNWqRcYw |
With this URL, the hacker can redirect the user to malicious site or phishing.
I have reported this issue to Google but they think that this is an not a security vulnerability: “Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.”
In the next email they said that: “We consider this issue as working as intended, but thanks for letting us know”.
I think the confirmation page “Redirect Notice” should be displayed to help the user know where they are going to. It’s a risk for sometimes.
Pingback: 22 IT Blogger Việt bạn không nên bỏ qua (updated 2018) - ITviec blog