The last few months, when I’m working around with “Open Redirect” vulnerability, I found something interesting that a hacker can bypass confirmation page and redirect the user to the malicious website by using the Google.com domain.

1. My site: https://sangbui.com
2. Redirect to other site by using Google.com domain: https://www.google.com/url?sa=t&url=[URL]
Eg: https://www.google.com/url?sa=t&url=https://sangbui.com

Display: Redirect Notice

Redirect Notice - Mozilla Firefox 2016-05-23 23.47.41
So how can I bypass this form and redirect the user to my page without any confirmation message?

3. Bypass the confirmation page:  https://www.google.com/url?sa=t&url=[URL]&usg=[Code]*

* See the below video to know how can I get the Code. The full URL will be:

With this URL, the hacker can redirect the user to malicious site or phishing.

I have reported this issue to Google but they think that this is an not a security vulnerability: “Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.”

In the next email they said that: “We consider this issue as working as intended, but thanks for letting us know”.

I think the confirmation page “Redirect Notice” should be displayed to help the user know where they are going to. It’s a risk for sometimes.

2 Comments

  1. Pingback: 22 IT Blogger Việt bạn không nên bỏ qua (updated 2018) - ITviec blog

Leave a Comment

Your email address will not be published. Required fields are marked *