lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Apr 2016 15:03:06 GMT
From: research@...htwatchcybersecurity.com
To: bugtraq@...urityfocus.com
Subject: Open redirect on Google.com

Overview
An open redirect is operating at www.google.com

Details
Google’s main website provides a subsite for displaying mobile-optimized pages published using a special subset of HTML called AMP. While this works for mobile devices, for non-mobile devices, this redirects to the original site, thus resulting in an open redirect. 

The subsite operates at the following URL:
https://www.google.com/amp/XXXX

where XXXX is the URL of the site. 

Here is an example of a legit URL&#8202;—&#8202;in mobile browsers this would display the actual article (this can simulated using Chrome’s developer tools):
https://www.google.com/amp/www.usatoday.com/story/life/people/2016/03/31/world-famous-architect-zaha-hadid-dies-age-65/82466082/

HOWEVER, on non-mobile devices this would redirect to:
http://www.usatoday.com/story/life/people/2016/03/31/world-famous-architect-zaha-hadid-dies-age-65/82466082/

Because the vendor accepts any site without whitelist, this can be used as an open redirect. Additionally, since this is hosted on the same main domain as the search engine, it can in theory be used to drive XSS or other similar attacks, although this is mitigated by the fact that AMP currently does not allow Javascript.

Vendor Response
The vendor communicated that they do not consider open redirects to be a security issue

References
Google Security CID: 7–2623000011032
AMP site: https://www.ampproject.org/
Vendor’s view on open directs: https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect

Timeline
2016–04–07: Vendor notified
2016–04–07: Vendor response
2016–04–11: Public disclosure

Powered by blists - more mailing lists