Cenzic 232 Patent
Paid Advertising
web application security lab

Google Fixes One Redirect But Leaves Lots of Others

Matt Cutts (the search engine guru at Google) just posted a few comments on this site and others that picked up the story that the redirection hole being used by phishers is now closed by adding a dialog warning you that you are being redirected (Click here for an example). That is good news because 1) clearly Google now can no longer deny it’s a hole - they themselves fixed it 2) some consumers may now be slightly safer, kinda. But as he himself said, this really isn’t a complete fix as this is only one of many known redirects in Google that have the potential of aiding phishing attacks.

There are 10 more redirects in Google that are still functional on this one URL alone. Google is riddled with these holes and they are incredibly easy to find. So while I applaud the fix, I am hardly impressed. It took over a year for this hole to get closed since I first announced it (you’ll notice the other three I mentioned in that post a year ago are still unfixed). There are at least 4 or 5 more that I’ve run across beyond that as well. It’s not even worth cataloging them at this point because there are so many left to fix.

So good job on fixing a small percent of the problem, but Google has got a very long road ahead of them before I’d trust clicking on any unscrutinized Google link I found on the web.

4 Responses to “Google Fixes One Redirect But Leaves Lots of Others”

  1. Spider Says:

    Google, this is the same company that just launched its “enterprise” google doc apps? The ones where they store your documents on their servers? I think the exploitation of these holes( redirection along with the numerous xss) is going to skyrocket with some devastating consequences.

  2. Awesome AnDrEw Says:

    The only thing I like about Google is the “this site may harm your computer” warning I see slapped on a great many “.ws” domains.

  3. Hong Says:

    Google Translate is worse than any other Google redirection attack, maluc already demonstrated it few months ago.
    http://sla.ckers.org/forum/read.php?2,1508,1524#msg-1524

  4. wood Says:

    http://google.com/translate_c?u=http://exploitlabs.com

    heh