14 DAY TRIAL // Deepanker Verma, a security research at the Infosec Institute, has uncovered a potentially dangerous redirection vulnerability that affects Google Books (books.google.com), a site that has been recently integrated into Google Play.
According to Verma, Google has been notified on the existence of the flaw and even confirmed it, but so far nothing has been done to address the issue.
The expert explains that these types of security holes appear when the website has “unvalidated redirection.”
If exploited successfully, the vulnerability could allow an attacker to launch phishing attacks and even redirect their victims to malware-infested sites. The cybercriminal only needs to convince the victim to click on a cleverly crafted link.
However, this may prove to be a simple task since internauts might be easily fooled into thinking that the link points to a legitimate Google site.
Verma also warns that the attacker can hide his malicious intentions by adding fake tokens and parameters next to the redirection URL.
Here’s a small proof-of-concept. Simply paste it into your browser’s address bar and you will find that you are being redirected from the legitimate Google Books site and taken to Softpedia.com.
http://books.google.com/search?btnI&q=http://www.softpedia.com Spammers and fraudsters would simply have to change the name of the site and they could dupe many individuals into thinking that there's nothing malicious involved.
In case you ever stumble upon such a link and you see a shady-looking website URL at the end, be sure to avoid clicking on it, since most likely you’ll end up on a pharmacy site or even worse.
For our readers who don’t remember Deepanker Verma, he is the security researcher who along with Shadab Siddiqui identified a number of security holes on Guruji, India’s number one search engine, and on Pinterest, the social media websites whose popularity has considerably grown in the past period.