2015-005: URL Redirection to Untrusted Site ('Open Redirect') in Google generic TLD and ccTLD

DESCRIPTION

An open redirect is a vulnerability that occurs when an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used for phishing attacks for redirecting users to visit malicious sites without against their will.

Google is affected by this vulnerability in the images search functionality.

When a user search an image, generates a link as the following:

http://www.google.es/imgres?imgurl=http://weknowyourdreams.com/images/lizard/lizard-07.jpg&imgrefurl=http://weknowyourdreams.com/lizard.html&h=1200&w=1920&tbnid=1OhPmwC22CBC5M:&docid=UbceIEKQCmsGbM&ei=dQYdVt3QF8i3UcX4jfAO&tbm=isch&ved=0CDUQMygAMABqFQoTCJ3fsp7Gv8gCFchbFAodRXwD7g

The imgrefurl is not properly validated, so an open redirect can be exploited through this parameter.

We can exclude some parameters in the GET request, because not affect the expected results. Only this parameters are mandatory:
- imgrefurl: the vulnerable parameter
- tbnid: must have the ":" character in the last position
- docid: can have a null value

Reproduction steps:

1. The attacker generates a link that includes a malicious URL (for example: www.isecauditors.com) in the "imgrefurl" parameter.

Example:
http://www.google.es/imgres?imgrefurl=http://www.isecauditors.com&tbnid=:&docid=

2. The Google response page contains a link to confirm the redirection to the malicious URL.

Example:
...
La página en la que te encuentras te intenta dirigir a http://www.isecauditors.com. 
...

3. The attacker extract the previously generated URL with the new parameters.

Example:
http://www.google.com/url?q=http://www.isecauditors.com&ust=1444061310739930&usg=AFQjCNF649gyi70n6zC89N2u_PLb1dd4dg

Now, The attacker have a time slot (several hours) where the request does not ask for user confirmation, and redirects users to malicious URL.

BUSINESS IMPACT

The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.

The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers could then steal the user's credentials and then use these credentials to access the legitimate web site.

DISCLOSURE TIMELINE

October 5, 2015: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
October 5, 2015: Vulnerability report send to Google.
October 5, 2015: Google consider this bug a duplicate of an existing issue.
October 7, 2015: Internet Security Auditors asks to be notified when corrected, to publish the advisory once the bug have been corrected.
October 8, 2015: Google answers that they don't have a good way for notifying researchers when duplicate findings are fixed.
October 13, 2015: Internet Security Auditors confirm that the bug have been corrected (Google did not communicated anything about this to Internet Security Auditors).
October 15, 2015: Advisory published.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.