Google's Open Vulnerability

N.B. This has now been fixed! Good job. However long it took.

I found a Google vulnerability today. And I got hyped. Really hyped. Except, as it turns out, not all vulnerabilities are created equal...

The method: if you add /amp onto the end of some Google domains, you can specify any arbitrary website to redirect to. For example:

Notice the HTTPS there. Google are willing to sign this as valid content, served by them -- despite the fact that it redirects to absolutely any domain. Remember, that domain could have arbitrary JavaScript. It could be a phishing site to trap Google accounts.

So, I'm not a security person really, but I decided to see what Google had to say about this. Surely it'd come up already, right?

"...we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk."

In short -- we don't think it's a threat.

I mean, really? I'm generally pretty security-conscious, but if a site begins with "", I'm inclined to trust it.

And sure, the address bar is the best form of security. Green bars can't be faked, and all that jazz. But if you click on a link that looks like this: (don't click)

And you get redirected to a URL that looks like this: (again, don't click)

You'd have to be pretty paranoid to notice anything awry -- the green bar is doing its job, of course, and a well-designed phishing page will make it unlikely for anyone to even glance at the address bar. Oh, and I've chosen that example because '' is available for use right now. Scary, huh?

The new wave of TLD's means that phishing sites will have even more chances to make legitimate-seeming addresses. For those who prey on less savvy web users, there's a whole new dimension of ways to exploit.

I'd be interested to see more reasoning than is currently available for Google's choice to maintain an open redirect. But I suppose I've resigned myself to the fact that bug bounties aren't achieved quite so easily.