Cenzic 232 Patent
Paid Advertising
web application security lab

Redirection Report

Brian Krebs had an interesting report over at the Washington Post that cited a report from Indiana.edu about how redirects are in quite an abundance. Well, anyone who has worked in this field for any length of time should know that perfectly well, but it’s still interesting to get some validation from the researchers at Indiana.edu who specialize in anti-phishing research. Here’s the rub from Brian’s article:

Indeed, some of the Internet’s biggest Web sites — particularly Google — used to host large numbers of open redirects.

“Used to”? I know I’ve laid it on thick over the last few years, but I’m amazed people still think Google has somehow magically fixed problems that it never got around to fixing. Redirects are not fixed, XSS is not fixed. These issues still exist all over Google and Google’s web properties. But in case someone doesn’t believe me, here’s an example I whipped up in about 10 seconds that redirects to a random eBay auction from Google’s image server as a for instance (make sure you enable JS for the full effect).

It’s good to see people are finally understanding this in the main stream media, but let’s not give credit to companies that are clearly undeserving of it (both historically and currently). I’ll be the first one to stand up and give applause when we see these issues closed once and for all on Google even if it truly is just one company out of the vast untold wealth of sites out there that are vulnerable. But if it really is aiding phishers - and it is - the only way we are going to get ahead of it is by taking responsibility for our own sites. That’s especially true if we intend to be the be all end all of trustworthy advertising giants that Google aims to be.

9 Responses to “Redirection Report”

  1. Robert Says:

    This is pretty big in the phishing world and for the most part not discussed in the haxor circles. This has been added to the ongoing threat classification v2 project.

  2. 4k37 Says:

    wow. people pay $300 for a diaper bag?

  3. Owen Says:

    Nicely said. With malicious redirects, XSRF and XSS one could do some pretty nasty things to Google account holders. A major internet power house needs to take more of an initiative to keep its users safe. If they have fixed some of the problems I sure hope that they are working on the others. It seems that a company of that caliber would have some sort of standard before releasing a vulnerable application. I guess thats what you get when you release “beta” applications.

    Department head:
    “It wasn’t my fault millions of users data could have been compromised, after all they were using one of our ‘beta’ applications” .

  4. rvdh Says:

    Something like:

    http://images.google.com/imgres?imgurl=http://www.gmail.com/&imgrefurl=http://text.rochester.edu/tt/www.google.com/accounts/NewAccount?service=mail

    :)

  5. RSnake Says:

    Or how about: http://www.google.com/search?hl=en&q=http://ha.ckers.org/&btnI=I%27m+Feeling+Lucky&aq=f

  6. rvdh Says:

    Well, given the fact that the Google IP range is still the biggest malware webhoster in the Universe, I don’t think they’ll consider to change this soon. In the mean time, it’s up for the grabs!

  7. CoLL1eR Says:

    This is also a known bypass to msplinks on myspace, If the URL such as google is on their whitelist, it completely defects the purpose of the warning page.

  8. Hong Says:

    I come up with an idea for the redirect attack. Many web applications allow users install gadgets/apps to their domain and using iframes to sandbox their code, but it can launch a redirect attack. Here is the details.

    1. Attacker creates an evil gadget/app.
    2. Trapping victim to install that gadget/app. (using reflective XSS, CSRF, whatever).
    3. The evil gadget/app using window.top.location=”http://www.attacker.com” to redirect it to anywhere.

    After install evil gadget/app, the redirection will be persistently, and even though victim goes to the website from her bookmark or types it in the address bar, the redirection still works.

    Please correct me if I am wrong.

  9. skih Says:

    I just want to know how this link will work… When i click on the link provided or copy paste entire URL and then when i hit GO, the entire link is becoming http://images.google.com/imghp this. I have also tried giving any text in input box but of no use. How is this vulnerable ???