N.B. This has now been fixed! Good job. However long it took.
I found a Google vulnerability today. And I got hyped. Really hyped. Except, as it turns out, not all vulnerabilities are created equal...
The method: if you add /amp onto the end of some Google domains, you can specify any arbitrary website to redirect to. For example:
https://google.co.uk/amp/bede.io
Notice the HTTPS there. Google are willing to sign this as valid content, served by them -- despite the fact that it redirects to absolutely any domain. Remember, that domain could have arbitrary JavaScript. It could be a phishing site to trap Google accounts.
So, I'm not a security person really, but I decided to see what Google had to say about this. Surely it'd come up already, right?
In short -- we don't think it's a threat.
I mean, really? I'm generally pretty security-conscious, but if a site begins with "https://google.com", I'm inclined to trust it.
And sure, the address bar is the best form of security. Green bars can't be faked, and all that jazz. But if you click on a link that looks like this: (don't click)
https://google.com/amp/account-verification.io/login
And you get redirected to a URL that looks like this: (again, don't click)
https://google.account-verification.io/login
You'd have to be pretty paranoid to notice anything awry -- the green bar is doing its job, of course, and a well-designed phishing page will make it unlikely for anyone to even glance at the address bar. Oh, and I've chosen that example because 'account-verification.io' is available for use right now. Scary, huh?
The new wave of TLD's means that phishing sites will have even more chances to make legitimate-seeming addresses. For those who prey on less savvy web users, there's a whole new dimension of ways to exploit.
I'd be interested to see more reasoning than is currently available for Google's choice to maintain an open redirect. But I suppose I've resigned myself to the fact that bug bounties aren't achieved quite so easily.