Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Open redirects ... and why Phishers love them SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Open redirects ... and why Phishers love them

Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ?  Well, that's indeed where Google's online meeting tool is located. But potentially the URL you got is not "only" leading you there.

Google Meet and Google Hangouts have a so-called open-redirect vulnerability. Phishers have found it, and are currently abusing it in droves. Your users believe they are clicking on a Google link, but end up somewhere else alltogether.

Benign example:  https://meet.google.com/linkredirect?dest=https://cwe.mitre.org/data/definitions/601.html

Obviously, the Phishers wont't send your users to the Mitre vulnerability database, but rather make use of obfuscated destination URLs which commonly then lead to a phishing site that mimics a Google or Microsoft login page.

Google Hangouts https://hangouts.google.com has the same problem, and is also being abused.

Battling the never ending Phishing wave is difficult enough without major companies providing help to the crooks in the form of Open Redirects. If you have open redirects in your online web presence, and they are turning up in vulnerability reports for your site, please take them seriously, and fix them.

 

 

Daniel

385 Posts
ISC Handler
Jun 18th 2021
Google says it's not a vulnerability. In their view, https://meet.google.com/ at the beginning of a link's URL is not intended to provide any assurance that the link is safe. The user isn't supposed to enter credentials into the mimiced Google login page until the user inspects the URL (shown in their web browser) for that page: https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect
Anonymous
Tons of abuse seen lately of open redirects at BIG companies. It is amazing how many of them take Google's stance of "working as designed, please continue to abuse us actively". Looking at you, photobox.co.uk, campaign.adobe.com, and others...
Paul

47 Posts
Google says the domain should not be a sign of trust, but they are actively doing just that by only showing the domain portion of the URL in Chrome. One part of Google says that users should look at the whole URL to determine if it is safe and another actively hides almost all of the URL because it is "confusing" for users.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!