Open redirects ... and why Phishers love them

Published: 2021-06-18. Last Updated: 2021-06-18 13:03:34 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)

Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ?  Well, that's indeed where Google's online meeting tool is located. But potentially the URL you got is not "only" leading you there.

Google Meet and Google Hangouts have a so-called open-redirect vulnerability. Phishers have found it, and are currently abusing it in droves. Your users believe they are clicking on a Google link, but end up somewhere else alltogether.

Benign example:  https://meet.google.com/linkredirect?dest=https://cwe.mitre.org/data/definitions/601.html

Obviously, the Phishers wont't send your users to the Mitre vulnerability database, but rather make use of obfuscated destination URLs which commonly then lead to a phishing site that mimics a Google or Microsoft login page.

Google Hangouts https://hangouts.google.com has the same problem, and is also being abused.

Battling the never ending Phishing wave is difficult enough without major companies providing help to the crooks in the form of Open Redirects. If you have open redirects in your online web presence, and they are turning up in vulnerability reports for your site, please take them seriously, and fix them.

 

 

3 comment(s)

Comments

Google says it's not a vulnerability. In their view, https://meet.google.com/ at the beginning of a link's URL is not intended to provide any assurance that the link is safe. The user isn't supposed to enter credentials into the mimiced Google login page until the user inspects the URL (shown in their web browser) for that page: https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect
Tons of abuse seen lately of open redirects at BIG companies. It is amazing how many of them take Google's stance of "working as designed, please continue to abuse us actively". Looking at you, photobox.co.uk, campaign.adobe.com, and others...
Google says the domain should not be a sign of trust, but they are actively doing just that by only showing the domain portion of the URL in Chrome. One part of Google says that users should look at the whole URL to determine if it is safe and another actively hides almost all of the URL because it is "confusing" for users.

Diary Archives