Bugtraq mailing list archives
Open redirect on Google.com
From: research () nightwatchcybersecurity com
Date: Tue, 12 Apr 2016 15:03:06 GMT
Overview An open redirect is operating at www.google.com Details Googles main website provides a subsite for displaying mobile-optimized pages published using a special subset of HTML called AMP. While this works for mobile devices, for non-mobile devices, this redirects to the original site, thus resulting in an open redirect. The subsite operates at the following URL: https://www.google.com/amp/XXXX where XXXX is the URL of the site. Here is an example of a legit URL  in mobile browsers this would display the actual article (this can simulated using Chromes developer tools): https://www.google.com/amp/www.usatoday.com/story/life/people/2016/03/31/world-famous-architect-zaha-hadid-dies-age-65/82466082/ HOWEVER, on non-mobile devices this would redirect to: http://www.usatoday.com/story/life/people/2016/03/31/world-famous-architect-zaha-hadid-dies-age-65/82466082/ Because the vendor accepts any site without whitelist, this can be used as an open redirect. Additionally, since this is hosted on the same main domain as the search engine, it can in theory be used to drive XSS or other similar attacks, although this is mitigated by the fact that AMP currently does not allow Javascript. Vendor Response The vendor communicated that they do not consider open redirects to be a security issue References Google Security CID: 72623000011032 AMP site: https://www.ampproject.org/ Vendors view on open directs: https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect Timeline 20160407: Vendor notified 20160407: Vendor response 20160411: Public disclosure
Current thread:
- Open redirect on Google.com research (Apr 12)