The notification Google shows users when the go through its open redirect service

Aug 29, 2011 11:09 GMT  ·  By

The Burmese YGN Ethical Hacker Group has found a method to bypass the notification Google shows users when the go through its open redirect service.

Open redirectors are scripts that redirect users to the URLs passed to them. This function is sometimes viewed as a vulnerability because it can be abused to enhance phishing or spam attacks, but it is also necessary in certain situations.

Websites use open redirectors for a variety of reasons, for example, to track where users are going when they leave their pages or to warn them that they are leaving a secure and trusted connection.

Google's open redirector is located at http://www.google.com/url?sa=t&url=[url] and is used in many situations. One of them is when users click on links found inside documents hosted on Google Docs.

Under normal circumstances, such an action would lead to a Google page called "Redirect Notice" which informs users that "the previous page is sending you to [url]."

This gives them the chance to undo their action if they believe they were actually going to a page under Google's control.

It is a response to phishing attacks that leverage the fact that most people will only bother reading the domain part of the URL, which is www.google.com and not the actual target.

YGN found that an "usg" value can be added to the link in order to bypass the redirect nortice and lead users directly to the malicious page. This usg value is calculated by Google for pages that have been checked and which don't require a redirect notice, such as search results.

The hackers explain that an attacker can have Google's crawler generate the usg by indexing the page. Google responded said they monitor redirects and check URLs against its Safe Browsing blacklist.

YGS feel this is not sufficient because attackers can use multiple redirects with Google's leading to an intermediary non-malicious page. The hackers conclude that this issue will "last as long as Google doesn't change its internal algorithm that compares the hash against the provided URL."

UPDATE: "Our latest update is that any malicious individual can get valid "usg" value from Redirect Notice page. In this way, they don't need Google Crawler to crawl their page to get this value," a member of the YGN Ethical Hacker Group stated.