2020-001: URL Redirection to Untrusted Site ('Open Redirect') in Google generic TLD and ccTLD.
Original release date: March 1, 2020 Last revised: Discovered by: Vicente Aguilera Díaz Severity: 4.7/10 (CVSSv3 Base Score) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
BACKGROUND
The generic TLD (www.google.com) and country code top-level domain (ccTLD) are affected by this vulnerability.
DESCRIPTION
An open redirect is a vulnerability that occurs when an application that takes a parameter and redirects a user to the parameter value without any validation.
This vulnerability is used for phishing attacks for redirecting users to visit malicious sites against their will.
Although Google shows an alert message to notify users if a redirection is generated, it is possible to create a malicious URL that avoids these alert messages.
Google is affected by this vulnerability in the images search functionality.
PROOF OF CONCEPT
When a user search an image, generates a link as the following:
The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.
The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers could then steal the user's credentials and then use these credentials to access the legitimate web site.
SYSTEMS AFFECTED
The generic TLD (www.google.com) and country code top-level domain (ccTLD) are affected by this vulnerability.
See Proof of Concept of exploitation in our YouTube channel.
CREDITS
This vulnerability has been discovered by Vicente Aguilera Diaz, vaguilera (at) isecauditors (dot) com.
REVISION HISTORY
March 1, 2020: Initial release
DISCLOSURE TIMELINE
March 1, 2020: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
March 1, 2020: Vulnerability report send to Google.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.
ABOUT
Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.
Advisories 2020
2020-001: URL Redirection to Untrusted Site ('Open Redirect') in Google generic TLD and ccTLD.
Original release date: March 1, 2020
Last revised:
Discovered by: Vicente Aguilera Díaz
Severity: 4.7/10 (CVSSv3 Base Score)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
BACKGROUND
The generic TLD (www.google.com) and country code top-level domain (ccTLD) are affected by this vulnerability.
DESCRIPTION
An open redirect is a vulnerability that occurs when an application that takes a parameter and redirects a user to the parameter value without any validation.
This vulnerability is used for phishing attacks for redirecting users to visit malicious sites against their will.
Although Google shows an alert message to notify users if a redirection is generated, it is possible to create a malicious URL that avoids these alert messages.
Google is affected by this vulnerability in the images search functionality.
PROOF OF CONCEPT
When a user search an image, generates a link as the following:
The "url" parameter is not properly validated, so an open redirect can be exploited through this parameter.
Only this parameter is mandatory, so we can exclude some parameters in the GET request because not affect the expected results:
How to reproduce the vulnerability:
1. Select the malicious URL
For example:
https://www.isecauditors.com
2. Create the URL redirection to avoid the Google alert message
For example:
3. Encode the URL redirection
For example:
4. Create the final URL without Google alert
BUSINESS IMPACT
The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.
The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers could then steal the user's credentials and then use these credentials to access the legitimate web site.
SYSTEMS AFFECTED
The generic TLD (www.google.com) and country code top-level domain (ccTLD) are affected by this vulnerability.
SOLUTION
-
REFERENCES
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html
- OWASP unvalidated redirects and forwards
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and...
See Proof of Concept of exploitation in our YouTube channel.
CREDITS
This vulnerability has been discovered
by Vicente Aguilera Diaz, vaguilera (at) isecauditors (dot) com.
REVISION HISTORY
March 1, 2020: Initial release
DISCLOSURE TIMELINE
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.
ABOUT
Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.