

Unvalidated Redirect in Google (or How Google Sent Me To Bing) - borski
http://blog.tinfoilsecurity.com/its-the-little-things-that-matter-or-how-goog

======
e1ven
One thing that's fun is that Google has a page detailing how to handle
redirects on your own sites-
[http://googlewebmastercentral.blogspot.com/2009/01/open-
redi...](http://googlewebmastercentral.blogspot.com/2009/01/open-redirect-
urls-is-your-site-being.html)

~~~
dhruvbird
hypocrisy??

------
stusmall
Also, if you want to hide the URL in the link better, just pad the end of the
query string with garbage and they won't even notice it:

[http://www.google.com/finance/url?sa=D&q=http://goo.gl/j...](http://www.google.com/finance/url?sa=D&q=http://goo.gl/j10cW&sdf=189fdgjoidfg80dfgdfg)

~~~
g_lined
Or embed it with the government redirect mentioned. "Here's what Obama had to
say about Google on yesterday's visit to Vermont!"
[http://labor.vermont.gov/LinkClick.aspx?link=http://www.goog...](http://labor.vermont.gov/LinkClick.aspx?link=http://www.google.com/finance/url?q=http://www.bing.com/?q=EVILWEBSITE)

~~~
borski
Linkception. You can take that link and throw it in Google, and so on... At
some point, maybe you'll hit a limit? Sounds like a fun test to run... ;)

~~~
carey
You’ll start running into browser limits at somewhere from 2048 to 2083
characters: <http://support.microsoft.com/kb/208427>

~~~
hakaaak
Depends on the browser. Mobile browser URL limits used to be much shorter.

------
arscan
I wonder if submitting the following link to HN would result in (google.com)
being displayed next to the link instead of (tinfoilsecurity.com):

[http://www.google.com/finance/url?sa=D&q=http://blog.tin...](http://www.google.com/finance/url?sa=D&q=http://blog.tinfoilsecurity.com/its-
the-little-things-that-matter-or-how-goog)

I'd try, but I don't want to risk upsetting HN's moderators ;-)

~~~
rwos
1.) Yes, I think so. 2.) Don't worry, it has been done before:

<http://news.ycombinator.com/item?id=1259695>

(That particular instance doesn't work anymore, though)

------
davidu
On the flip side, when Google does find a malicious URL being used in their
redirector they are able to disable the URL and make the link invalid.

They might not do this today, but Bitly now does, and so there's that.

~~~
Firehed
Should be fun to see what happens when you get them to automatically blacklist
their own sites... ;)

------
darkarmani
This is a good way to get around domain reputation ratings like SiteAdvisor. A
domain like google isn't going to get hurt by a reputation service, but a
small domain would get marked red after a few redirects to exploits or malware
get crawled.

------
cominatchu
We check for these types of vulnerabilities, and it's free to sign up:
<https://armorhub.com>

~~~
ghayes
On a blog post for Tinfoil Security, it would be better to phrase this as "We
also check for these types of vulnerabilities." Tinfoil Security clearly found
this specific vulnerability using their own product.

~~~
darkarmani
That would make sense if he left the comment on Tinfoil's actual blog post.
Here in HN i don't think it matters.

------
StevenXC
I couldn't get bit.ly to replicate the behavior that the article claimed:
shortening .gov URLs using 1.usa.gov. Anyone else have any luck?

~~~
borski
Try shortening <http://whitehouse.gov> -> <http://1.usa.gov/15DR7>

~~~
StevenXC
Interesting. <http://labor.vermont.gov> was shortened with the bit.ly domain -
perhaps they caught on to the redirect.

~~~
borski
They did catch on - [http://blog.howto.gov/2012/10/26/gsa-combats-malicious-
use-o...](http://blog.howto.gov/2012/10/26/gsa-combats-malicious-use-of-1-usa-
gov-short-urls/)

~~~
StevenXC
Thanks for the link!

