The last few months, when I’m working around with “Open Redirect” vulnerability, I found something interesting that a hacker can bypass confirmation page and redirect the user to the malicious website by using the Google.com domain.
1. My site: https://sangbui.com
2. Redirect to other site by using Google.com domain: https://www.google.com/url?sa=t&url=[URL]
Display: Redirect Notice
3. Bypass the confirmation page: https://www.google.com/url?sa=t&url=[URL]&usg=[Code]*
* See the below video to know how can I get the Code. The full URL will be:
With this URL, the hacker can redirect the user to malicious site or phishing.
I have reported this issue to Google but they think that this is an not a security vulnerability: “Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.”
In the next email they said that: “We consider this issue as working as intended, but thanks for letting us know”.
I think the confirmation page “Redirect Notice” should be displayed to help the user know where they are going to. It’s a risk for sometimes.