Insecure URL redirection in Google+
Our team identified a vulnerability in Google+ (Google Plus) service which can be used to perform malicious insecure URL redirection in google+. It was possible to bypass the Google+ ‘Redirect Notice’ and divert user to a malicious site. The issue takes advantage of Google+ facility to redirect users from Google service to third party sites.
When User is redirecting to a third party site(s), Google+ shows a Redirect Notice that the user is about to be re-directed and thus user can make a choice of either continuing with re-direction or stay with Google+.
Varutra team could successfully bypass the redirect notice and came up with a way to directly divert the users to third party site(s) without any notice or correspondence from Google+. The severity of the identified threat is raised by the fact that the victim user need not be logged in to the Google+ account.
Below are the steps to reproduce the issue:
I. Please note, these steps are just to showcase the consequence of the vulnerability and are given for educating users about the threats, Varutra does not hold any responsibility for use/misuse of this information.
II. Attacker navigates to page http://plus.url.google.com/url?q= and enters the malicious URL of choice. (http://plus.url.google.com/url?q=http://www.malicious-site.com)
III. Google+ generates a redirection request/URL ands show a Redirect Notice with two options;
- The previous page is sending you to http://www.malicious-site.com
- If you do not want to visit that page, you can return to the previous page.
IV. The redirection URL will look like http://plus.url.google.com/url?q=http://www.malicious-site.com&ei=Fw0WUoPPGcvwrQfwqIFI&sa=X&ct=targetlink&ust=1377178655421471&usg=AFQjCNHfnI0h_f5_uqegvYZ
V. Attacker right clicks on the www.malicious-site.com and copy link location
VI. This link then can be sent to victim user through numerous and best suited ways to redirect him/her to the http://www.malicious-site.com without any notice from Google+
The only thing to notice is that this link is temporary and valid for approximately 30 minutes.
It was also observed that other Google services such as google.com (search engine) and orkut.com are also open to this issue.
Attack & PenTest Team,