I am surprised to find that Google.com has an open redirector service to redirect to arbitrary third-party web sites. If you look at Aviv Raff’s report on a new Google Toolbar Dialog Spoofing Vulnerability, at the heart of the vulnerability is an open redirect service hosted on Google servers. This service can be used, independently of the Google Toolbar, to redirect the user to any arbitrary web site. Although Aviv Raff did not demonstrate this point, this redirector can be used to make the user download executable content from other sites. For hackers, the possibilities are end less. Since the URL starts with a google domain, the user is very likely to trust the downloaded content. Here is how this works.
When you submit a GET request to /local_url?q=<some URI>, Google would simply redirect with a response code 302 the user agent to that URI. Here is an example (Note: This will redirect you to Slashdot).
Here is the trace captured with Firefox.
GET /local_url?q=http://www.slashdot.org HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive HTTP/1.x 302 Found Location: http://www.slashdot.org Content-Type: text/html; charset=UTF-8 Server: mfe Content-Length: 220 Date: Wed, 19 Dec 2007 23:07:27 GMT
In this example, a careful would be notice that there is an external URL encoded in the hyperlink. To make the hyperlink less detectable, all I have to do is add some junk to the query string of the URL, as in this link. A user trained to look at the browser status bar before clicking any link would miss the fact that this URL will take him/her to a different site.
Now on to more interesting stuff. I can very well include a URL to an executable file into this link, as in this link. This will download gupdate.exe from Aviv Raff’s site, which, he claims is the Windows Calculator. Since I have not verified this, please click on this link at your own risk.
Endless opportunities for hackers?
Update: Apparently this issue is known among web security circles. Here are some references:
