When a user search an image, generates a link as the following: http://www.google.es/imgres?imgurl=http://weknowyourdreams.com/images/lizard/lizard-07.jpg&imgrefurl=http://weknowyourdreams.com/lizard.html&h=1200&w=1920&tbnid=1OhPmwC22CBC5M:&docid=UbceIEKQCmsGbM&ei=dQYdVt3QF8i3UcX4jfAO&tbm=isch&ved=0CDUQMygAMABqFQoTCJ3fsp7Gv8gCFchbFAodRXwD7g The imgrefurl is not properly validated, so an open redirect can be exploited through this parameter. We can exclude some parameters in the GET request, because not affect the expected results. Only this parameters are mandatory: - imgrefurl: the vulnerable parameter - tbnid: must have the ":" character in the last position - docid: can have a null value Reproduction steps: 1. The attacker generates a link that includes a malicious URL (for example: www.isecauditors.com) in the "imgrefurl" parameter. Example: http://www.google.es/imgres?imgrefurl=http://www.isecauditors.com&tbnid=:&docid= 2. The Google response page contains a link to confirm the redirection to the malicious URL. Example: ... La página en la que te encuentras te intenta dirigir a http://www.isecauditors.com. ... 3. The attacker extract the previously generated URL with the new parameters. Example: http://www.google.com/url?q=http://www.isecauditors.com&ust=1444061310739930&usg=AFQjCNF649gyi70n6zC89N2u_PLb1dd4dg Now, The attacker have a time slot (several hours) where the request does not ask for user confirmation, and redirects users to malicious URL.