N.B. This has now been fixed! Good job. However long it took.

I found a Google vulnerability today. And I got hyped. Really hyped. Except, as it turns out, not all vulnerabilities are created equal...

The method: if you add /amp onto the end of some Google domains, you can specify any arbitrary website to redirect to. For example:


Notice the HTTPS there. Google are willing to sign this as valid content, served by them -- despite the fact that it redirects to absolutely any domain. Remember, that domain could have arbitrary JavaScript. It could be a phishing site to trap Google accounts.

So, I'm not a security person really, but I decided to see what Google had to say about this. Surely it'd come up already, right?

"...we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk."

In short -- we don't think it's a threat.

I mean, really? I'm generally pretty security-conscious, but if a site begins with "https://google.com", I'm inclined to trust it.

And sure, the address bar is the best form of security. Green bars can't be faked, and all that jazz. But if you click on a link that looks like this: (don't click)


And you get redirected to a URL that looks like this: (again, don't click)


You'd have to be pretty paranoid to notice anything awry -- the green bar is doing its job, of course, and a well-designed phishing page will make it unlikely for anyone to even glance at the address bar. Oh, and I've chosen that example because 'account-verification.io' is available for use right now. Scary, huh?

The new wave of TLD's means that phishing sites will have even more chances to make legitimate-seeming addresses. For those who prey on less savvy web users, there's a whole new dimension of ways to exploit.

I'd be interested to see more reasoning than is currently available for Google's choice to maintain an open redirect. But I suppose I've resigned myself to the fact that bug bounties aren't achieved quite so easily.