Google's Open Vulnerability

I found a Google vulnerability today. And I got hyped. Really hyped. Except, as it turns out, not all vulnerabilities are created equal...


The method: if you add /amp onto the end of some Google domains, you can specify any arbitrary website to redirect to. For example:

https://google.co.uk/amp/bede.io

Notice the HTTPS there. Google are willing to sign this as valid content, served by them -- despite the fact that it redirects to absolutely any domain. Remember, that domain could have arbitrary JavaScript. It could be a phishing site to trap Google accounts.

So, I'm not a security person really, but I decided to see what Google had to say about this. Surely it'd come up already, right?

"...we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk."

In short -- we don't think it's a threat.

I mean, really? I'm generally pretty security-conscious, but if a site begins with "https://google.com", I'm inclined to trust it.

And sure, the address bar is the best form of security. Green bars can't be faked, and all that jazz. But if you click on a link that looks like this: (don't click)

https://google.com/amp/account-verification.io/login

And you get redirected to a URL that looks like this: (again, don't click)

https://google.account-verification.io/login

You'd have to be pretty paranoid to notice anything awry -- the green bar is doing its job, of course, and a well-designed phishing page will make it unlikely for anyone to even glance at the address bar. Oh, and I've chosen that example because 'account-verification.io' is available for use right now. Scary, huh?

The new wave of TLD's means that phishing sites will have even more chances to make legitimate-seeming addresses. For those who prey on less savvy web users, there's a whole new dimension of ways to exploit.

I'd be interested to see more reasoning than is currently available for Google's choice to maintain an open redirect. But I suppose I've resigned myself to the fact that bug bounties aren't achieved quite so easily.

((OªœBnRmuqsœ£zVyibHm))