| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YK-sBN_Tg_hDZ8ZKilDiM8vJvMp-fQQWVloKe6TVu6FLf3ISWoQwYAVIvExsNl0582--Pn_4u3jqJ4G_sAjKuVLdZPqkmJcuXKiBQWAbCRw=@protonmail.ch> Date: Thu, 16 Oct 2025 11:09:08 +0000 From: Patrick via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] apis.google.com - Insecure redirect via __lu parameter (exploited in the wild) ---------------------------------------------------------------------------- Summary ---------------------------------------------------------------------------- A CWE-601 (Open Redirect) vulnerability has been identified in the additnow functionality of apis.google.com. The vulnerability has been actively exploited in targeted phishing attacks since at least September 15, 2025. ---------------------------------------------------------------------------- Affected host(s) ---------------------------------------------------------------------------- - apis.google.com ---------------------------------------------------------------------------- Proof of Concept (PoC) ---------------------------------------------------------------------------- - https://apis.google.com/additnow/l?applicationId=1&__ls=ogb&__lu=URL_HERE (parameter "__lu=" controls the redirect target) ---------------------------------------------------------------------------- Impact ---------------------------------------------------------------------------- An open redirect allows an attacker to craft a URL on the affected domain that redirects users to an arbitrary external site. Impact scenarios include: - Phishing: attackers can send links that appear to be from google.com but redirect to malicious sites. - Bypass of spam/URL filters by leveraging a high-reputation domain. - Link manipulation in SEO/social contexts. ---------------------------------------------------------------------------- Severity ---------------------------------------------------------------------------- Medium (confirmed exploitation in the wild) ---------------------------------------------------------------------------- Technical notes ---------------------------------------------------------------------------- - Root cause: insufficient validation of user-supplied redirect targets in the "__lu" parameter. - Redirection is immediate (no further interaction required). ---------------------------------------------------------------------------- Weaponized demo (safe to click) ---------------------------------------------------------------------------- - https://apis.google.com/additnow/l?applicationId=1&__ls=ogb&__lu=%68%74%74%70%73%3A%2F%2F%73%69%76%65%72%74%2E%70%6C (this redirects to https://sivert.pl) ---------------------------------------------------------------------------- Timeline ---------------------------------------------------------------------------- - Discovery: 2025-09-15 (exploited by unknown threat actors since at least that date) - Public disclosure: 2025-10-16 (this post) ---------------------------------------------------------------------------- Contact ---------------------------------------------------------------------------- - Name: Patrick (SivertPL) - Email: kroppoloe@...tonmail.ch - Website: https://sivert.pl - X: @__tfr ---------------------------------------------------------------------------- Information for the Vendor ---------------------------------------------------------------------------- This is not the first time CWE-601 issues in Google services have been abused by threat actors. Please prioritize remediation to prevent further exploitation. ---------------------------------------------------------------------------- Acknowledgements ---------------------------------------------------------------------------- - Shoutout to Google - fix your open redirects! -- 2025-10-16 SivertPL (kroppoloe@...tonmail.ch) -- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists