Google Redirection Hole Used For Phishing
Well it’s official and no longer just conjecture. Google’s redirection hole is now being used as a phishing redirector. I don’t know how anyone could reasonablly argue that this isn’t a problem now. It’s not me just spouting what could be or what might be, this is actually happening. Redirection without some way to whitelist is dangerous for your brand, and it’s bad for your consumers when they trust your link and go to a phishing site.
It was bad enough when it was simply being used for spam, but now we are talking about user’s accounts being compromised. I understand this is a very complex issue to fix, having dealt with these issues in the past myself. Understanding it is no excuse for not fixing it though. It’s been about six months since I first reported many of these issues.
August 22nd, 2006 at 10:48 am
I’ve only seen google ads being used for spam redirection, such as http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://212.12.177.170:9999/www.paypal.com/thirdparty/webscrr/index.php
perhaps the long url makes it less obvious or more profitable.
August 22nd, 2006 at 11:09 am
Either way, it’s not good. I preffer your method, actually. At least that’s vaguely obfuscated by requiring the reader to look at the whole URL string. Either way they didn’t exactly make me feel better.
August 22nd, 2006 at 11:40 am
http://yro.slashdot.org/article.pl?sid=06/01/18/1427212 provides an interesting solution to the problem (removing the need for redirects), but, of course, if it doesn’t get adopted, it won’t work.
August 22nd, 2006 at 12:00 pm
That is interesting, I hadn’t seen that. It could really solve a lot of problems actually. I’ll have to read up on it, but to me it seems like it could remove a single point of failure as well, not to mention reduce unintended obfuscation.
August 22nd, 2006 at 2:00 pm
If I’ve understood correctly, what is does is notify a server (or group of servers) that you want to follow a link, the server checks whether it is a valid link in its domain (therefore covering and redirection holes) and returns the request.
This could patch only the redirection issue. I am thinking that if a site is XSS vulnerable you could of course alter the link contents so that a server of your own is notified instead of the original, domain server. Also, in a more extreme situation, MITM attacks render the entire model useless unless we are talking about SSL. And don’t forget about DNS poison in which case google.com resolves to your home-based phishing site.
August 22nd, 2006 at 3:06 pm
Maybe… I haven’t worked through the use cases yet, but if they are XSSable, either way they are screwed in my mind. In redirection theoretically there is nothing more you can do against the target since it is just a 301 redirect and nothing else appears on the page (and indeed there is no page). In this example instead of having a 301, you now have a link that pings a remote host. Yes it can be turned off or otherwise not used, but so can redirects with a GreaseMonkey script.
August 23rd, 2006 at 7:04 am
It would appear that most search engines are vunerable
Ninemsn.com (a msn site)
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fha.ckers%2Eorg%2Fclickthru%2Fclickthru%2Eact%3Fid%3Ddigi%26context%3Dpwnt%26locale%3Den%5FAU%26a%3Dpwnt&_t=pwnt&_r=pwnt&_m=pwnt
Straight up msn site(a lot simpler)
msid.msn.com/mps_id_sharing/redirect.asp?ha.ckers.org
MSN again - different loc
http://www.arabia.msn.com/webinclude/window.asp?STARTID=NIP_01&URL=http%3A//ha.ckers.org
Altavista
http://world.altavista.com/urltrurl?url=http%3A%2F%2Fha.ckers.org
Dogpile
http://www.dogpile.com/info.dogpl/clickit/search?r_aid=74F7FC3866EE4AFCA1558860641801A0&r_sacop=3&r_spf=0&r_cop=URL&r_snpp=3&r_spp=0&qqn=xdphO4Eq&r_coid=372372&rawto=http://ha.ckers.org
Netscape
http://www.netscape.com/viewstory/2006/08/17/pwnt/?url=http%3A%2F%2Fha.ckers.org&frame=false
Oh…and perhaps the most worrying thing i found in my research into trusted redirects was the following which allowed you to insert content into the finance section of an msn site!
http://finance.sympatico.msn.ca/banking/billpay/main.asp?URL=http://ha.ckers.org/
August 24th, 2006 at 3:55 am
[…] Rsnake has found someone using the Google Redirect to phish for Ebay accounts: Well it’s official and no longer just conjecture. Google’s redirection hole is now being used as a phishing redirector. I don’t know how anyone could reasonablly argue that this isn’t a problem now. It’s not me just spouting what could be or what might be, this is actually happening. […]
August 24th, 2006 at 6:11 am
That sympatico.msn link is ridiculous. That better get fixed before the weekend. MSN needs to be more responsible with their coding because something like that could catch a lot of people.
August 24th, 2006 at 12:26 pm
Is it illegal to use the Google redirection? I doubt it, but I don’t want google to come after me if I use it.
August 24th, 2006 at 12:37 pm
For phishing? Yes. For anything else? No. There are no ToS posted for their redirection that I am aware of, but I’m also not a lawyer.
August 24th, 2006 at 8:17 pm
I wonder if this is what happened here:
http://www.theweb20dev.com/wordpress/2006/08/23/massive-viral-hybrid-phising-scheme-threatens-ebay/
August 24th, 2006 at 9:56 pm
I hadn’t seen that. Interesting link. Thanks, Nick!
September 1st, 2006 at 8:31 am
[…] This time it’s Yahoo’s turn to be used in propogation of phishing. This is the second time in just a few weeks that this has happened. The nay-sayers are awefully quiet these days, have you noticed? Interesting. Anyway, I’ll stop playing the “I told you so” game, and stick to the facts. The fact is Yahoo is currently hosting a redirection script used for tracking. That link can be modified to forward to any domain of the attacker’s choice. The attacker happened to chose a phishing page (big surprise): […]