Google: Malware URL Redirection (Google Arbitrary URL Redirect Vulnerability)

The following link will issue URL Redirect Notice:

And this will bypass the notice:

The above bypass link will last as long as Google doesn't change its internal algorithm that compares the hash against the provided URL. 
In one way, attackers could let Google search engine crawl their malicious page and calculate "usg" value on behalf of them. In another way, they could simply copy the link from Redirect Notice page which already contains calculated "usg" value.

Google Security Team responded that Google blocks known malware URLs and fixing of this issue is unnecessary.

Here's a way how attacker will bypass the Google's carefully monitored URL Redirector:

1. Attacker prepares a Proxy link (P1) that redirects to a malware domain URL (U1)

2. Attacker sends P1 to a non-technically savvy user.

3. User clicks on P1.

4. Upon user landing on P1, the P1 server checks whether U1 has been on Google's blacklist.

5. If P1 server detects U1 in Google blacklists, the P1 server generates new malware URL (U2)

6. If P1 server ensure U1 is not in Google blacklists, the P1 server redirects the user to U1 URL

7. The U1 URL (and later generated new malware domain URL) takes care of distributing malware and other attacks.

Popular posts from this blog

CubeCart 3.0.20 (3.0.x) and lower | Multiple Cross Site Scripting Vulnerabilities

Open-Realty CMS 3.x | Persistent Cross Site Scripting (XSS) Vulnerability