The last few months, when I’m working around with “Open Redirect” vulnerability, I found something interesting that a hacker can bypass confirmation page and redirect the user to the malicious website by using the Google.com domain.

1. My site: https://sangbui.com
2. Redirect to other site by using Google.com domain: https://www.google.com/url?sa=t&url=[URL]
Eg: https://www.google.com/url?sa=t&url=https://sangbui.com

Display: Redirect Notice

Redirect Notice - Mozilla Firefox 2016-05-23 23.47.41
So how can I bypass this form and redirect the user to my page without any confirmation message?

3. Bypass the confirmation page:  https://www.google.com/url?sa=t&url=[URL]&usg=[Code]*

* See the below video to know how can I get the Code. The full URL will be:

With this URL, the hacker can redirect the user to malicious site or phishing.

I have reported this issue to Google but they think that this is an not a security vulnerability: “Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.”

In the next email they said that: “We consider this issue as working as intended, but thanks for letting us know”.

I think the confirmation page “Redirect Notice” should be displayed to help the user know where they are going to. It’s a risk for sometimes.

One Comment

  1. I’m gone to tell my little brother, that he should
    also go to see this weblog on regular basis to take
    updated from most recent news update.

Leave a Comment

Your email address will not be published. Required fields are marked *