![]() It says that “improperly designed redirectors can lead to more serious flaws” and it’s happy to hear about those. So why does Google tolerate it? Well, Google (which, whether you like the company or not, takes security very seriously) doesn’t consider open redirects to be a security issue. Google search results have worked this way for a long time, and I imagine the tactic I’ve described here has been used for almost as long. But that’s not a barrier if you’re already hijacking legitimate websites. It means the crooks can only use Google’s open redirect with a site that’s listed in the Google Search index. If a website is listed on Google Search, it has a usg, which is easily retrieved from the source code of the search results page. After a bit of cursory research I couldn’t find anyone that knows how to make a usg identifier, but crooks don’t have to make them. The answer is that the phishing URL contained a second parameter, sa=t, and a third usg, which contains some kind of unique identifier. So why doesn’t that appear when you click on Google Search results and, more to the point, why didn’t it appear when I probed the Skype phish? Instead, you were shown a Google web page saying “The page you were on is trying to send you to an invalid URL”. If you pasted the link above into a browser you’ll have noticed that you didn’t go straight to. It will redirect you to any URL on the web, if you add an appropriate url parameter: Īnd that looks an awful lot like the phishing URL I received. The URL Google uses for redirects is which serves, by design, as an open redirect. (If you use Chrome, or Chrome-based browsers like Brave, you aren’t redirected like this, but the same link back to Google tracks you via the rarely-seen ping parameter.) It does this so it can log which link you’ve clicked on. When you click on a search result link you’re bounced through another Google URL, which then redirects you to your destination. ![]() In some browsers, like Firefox or Safari, Google search results don’t lead directly to the listed websites. Well, there is just such a feature, and it’s on the biggest website of them all. The holy grail is a legitimate website with an open redirect function that’s a feature, not a bug. Open redirects tend to be bugs though, and they are likely to be closed sooner or later. One answer is to find an open redirect on a legitimate website – a redirection facility that can be abused to bounce users from a trustworthy website to another, less trustworthy one. The crooks need a way to dress them up as more trustworthy. The resulting collection of compromised dentistry blogs and mom-and-pop travel company website domains are incongruous and not widely known. Instead, they often hack into legitimate websites and use those, either to host their content or to act as intermediaries. Malicious websites are destined to be block listed and don’t have a very long shelf life, so there’s no mileage for them in trustworthy-looking dot coms. Of course, if all they have is a link they don’t want one that’s going to put you off.Īnd that’s a problem, because their domains often are off-putting. ![]() Over the years, scammers have realised that keeping things simple works for them, and the simplest message of all is like this one – nothing more than a malicious link. It reminded me of a very similar Skype message I’d received a few years ago, one that abused an open redirect in Google Maps, and I wondered if there was another. I wasn’t interested in where the link would lead me (for the record, it redirects to a punycode encoded URL that redirects to a malicious site), but I was interested to see how a Google URL was being used to get me there. I’ve blurred some of the URL, but the important thing is that it it looks like this: &usg= It was a link to Google, and that got me wondering, how does that work? It was clearly a phish, but it caught my eye because it didn’t link to some obviously scummy or incongruous URL. ![]() I say “message”, it wasn’t much of one, it was just a link. Yesterday morning I got a Skype message from an ex-colleague, somebody I’d not heard from in some time but was happy to reconnect with.
0 Comments
Leave a Reply. |