A security researcher has discovered a redirection script on Google's servers that could be used to aid scammers since it contains few security measures to warn users that they are being sent to a third-party site.
Twitter messages like the above could be used to redirect users to malicious websites.
(Screenshot by Michael Lee/ZDNet Australia)
Redirection scripts are typically used by sites in place of legitimate URLs to determine what links users are clicking on before sending them to their intended destination. However, when abused, they can trick users into thinking they are clicking on a link to a safe site such as Facebook or Google, but are actually being redirected to a site containing malware.
Facebook has long been using redirectors on its site, with URLs in the form of http://www.facebook.com/l.php?h=XXX&u=YYY, where the h parameter in the URL (XXX) is a security token and the u parameter (YYY) is the site that the user should be redirected to. Although the security token can easily be forged, users are always provided with a warning message, followed by the actual URL the user will be linked to and the option to proceed or not.
However, a security researcher going by the name longrifle0x has discovered that Google's redirection script used as part of its Open Authentication protocol requires no security token and doesn't provide any warning that the user is about to be redirected to a third-party site. For example, a URL such as https://accounts.google.com/o/oauth2/auth?redirect_uri=%68%74%74%70%3A%2F%2F%77%77%77%2E%7A%64%6E%65%74%2E%63%6F%6D%2E%61%75 appears to be a site on Google's domain, but actually redirects to http://www.zdnet.com.au.
Many social networking services, such as Twitter, also shorten URLs to display only the beginning of the locator to indicate to users what domain a site is on, making the situation worse. When combined with recent news or events, such as Google's recent testing of its password-less log-in, which also resides on Google's accounts sub-domain, unaware users could fall victim to phishing attacks.
When ZDNet Australia contacted Google for comment, the company said that while open redirects can be abused, it did not believe they represented a vulnerability as "there are many situations where it's helpful to redirect users to another page". However, the company did say that it works to limit the possibility of abuse.
This is not the first time Google's scripts or services have been found to be open to abuse. In August last year, a security researcher discovered that Google's servers could be used to multiply the output of distributed denial-of-service attacks.