Cenzic 232 Patent
Paid Advertising
web application security lab

Google Redirection Hole Used For Phishing

Well it’s official and no longer just conjecture. Google’s redirection hole is now being used as a phishing redirector. I don’t know how anyone could reasonablly argue that this isn’t a problem now. It’s not me just spouting what could be or what might be, this is actually happening. Redirection without some way to whitelist is dangerous for your brand, and it’s bad for your consumers when they trust your link and go to a phishing site.

It was bad enough when it was simply being used for spam, but now we are talking about user’s accounts being compromised. I understand this is a very complex issue to fix, having dealt with these issues in the past myself. Understanding it is no excuse for not fixing it though. It’s been about six months since I first reported many of these issues.

15 Responses to “Google Redirection Hole Used For Phishing”

  1. DanielG Says:

    I’ve only seen google ads being used for spam redirection, such as http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://212.12.177.170:9999/www.paypal.com/thirdparty/webscrr/index.php
    perhaps the long url makes it less obvious or more profitable.

  2. RSnake Says:

    Either way, it’s not good. I preffer your method, actually. At least that’s vaguely obfuscated by requiring the reader to look at the whole URL string. Either way they didn’t exactly make me feel better.

  3. Edward Z. Yang Says:

    http://yro.slashdot.org/article.pl?sid=06/01/18/1427212 provides an interesting solution to the problem (removing the need for redirects), but, of course, if it doesn’t get adopted, it won’t work.

  4. RSnake Says:

    That is interesting, I hadn’t seen that. It could really solve a lot of problems actually. I’ll have to read up on it, but to me it seems like it could remove a single point of failure as well, not to mention reduce unintended obfuscation.

  5. Legionnaire Says:

    If I’ve understood correctly, what is does is notify a server (or group of servers) that you want to follow a link, the server checks whether it is a valid link in its domain (therefore covering and redirection holes) and returns the request.

    This could patch only the redirection issue. I am thinking that if a site is XSS vulnerable you could of course alter the link contents so that a server of your own is notified instead of the original, domain server. Also, in a more extreme situation, MITM attacks render the entire model useless unless we are talking about SSL. And don’t forget about DNS poison in which case google.com resolves to your home-based phishing site.

  6. RSnake Says:

    Maybe… I haven’t worked through the use cases yet, but if they are XSSable, either way they are screwed in my mind. In redirection theoretically there is nothing more you can do against the target since it is just a 301 redirect and nothing else appears on the page (and indeed there is no page). In this example instead of having a 301, you now have a link that pings a remote host. Yes it can be turned off or otherwise not used, but so can redirects with a GreaseMonkey script.

  7. digi7al64 Says:

    It would appear that most search engines are vunerable

    Ninemsn.com (a msn site)
    http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fha.ckers%2Eorg%2Fclickthru%2Fclickthru%2Eact%3Fid%3Ddigi%26context%3Dpwnt%26locale%3Den%5FAU%26a%3Dpwnt&_t=pwnt&_r=pwnt&_m=pwnt

    Straight up msn site(a lot simpler)
    msid.msn.com/mps_id_sharing/redirect.asp?ha.ckers.org

    MSN again - different loc
    http://www.arabia.msn.com/webinclude/window.asp?STARTID=NIP_01&URL=http%3A//ha.ckers.org

    Altavista
    http://world.altavista.com/urltrurl?url=http%3A%2F%2Fha.ckers.org

    Dogpile
    http://www.dogpile.com/info.dogpl/clickit/search?r_aid=74F7FC3866EE4AFCA1558860641801A0&r_sacop=3&r_spf=0&r_cop=URL&r_snpp=3&r_spp=0&qqn=xdphO4Eq&r_coid=372372&rawto=http://ha.ckers.org

    Netscape
    http://www.netscape.com/viewstory/2006/08/17/pwnt/?url=http%3A%2F%2Fha.ckers.org&frame=false

    Oh…and perhaps the most worrying thing i found in my research into trusted redirects was the following which allowed you to insert content into the finance section of an msn site!
    http://finance.sympatico.msn.ca/banking/billpay/main.asp?URL=http://ha.ckers.org/

  8. Don’t Click that Google URL - It’s a Trap! SEO Black Hat: SEO Blog Says:

    […] Rsnake has found someone using the Google Redirect to phish for Ebay accounts: Well it’s official and no longer just conjecture. Google’s redirection hole is now being used as a phishing redirector. I don’t know how anyone could reasonablly argue that this isn’t a problem now. It’s not me just spouting what could be or what might be, this is actually happening. […]

  9. directionzero Says:

    That sympatico.msn link is ridiculous. That better get fixed before the weekend. MSN needs to be more responsible with their coding because something like that could catch a lot of people.

  10. Jack Says:

    Is it illegal to use the Google redirection? I doubt it, but I don’t want google to come after me if I use it.

  11. RSnake Says:

    For phishing? Yes. For anything else? No. There are no ToS posted for their redirection that I am aware of, but I’m also not a lawyer. ;)

  12. NIck Says:

    I wonder if this is what happened here:

    http://www.theweb20dev.com/wordpress/2006/08/23/massive-viral-hybrid-phising-scheme-threatens-ebay/

  13. RSnake Says:

    I hadn’t seen that. Interesting link. Thanks, Nick!

  14. ha.ckers.org web application security lab - Archive » Redirection in Yahoo Forwards Phishing Says:

    […] This time it’s Yahoo’s turn to be used in propogation of phishing. This is the second time in just a few weeks that this has happened. The nay-sayers are awefully quiet these days, have you noticed? Interesting. Anyway, I’ll stop playing the “I told you so” game, and stick to the facts. The fact is Yahoo is currently hosting a redirection script used for tracking. That link can be modified to forward to any domain of the attacker’s choice. The attacker happened to chose a phishing page (big surprise): […]

  15. photonpro Says:

    Two of my machines are being redirected from google to other search engines. Only one still works with google. The other two are useless. What to do?