A security researcher can easily allow phishing attacks where Google’s Open Redirects encourage a cybercriminal to enter their details on a fake login page.
Security researcher Sean Wright discovered an issue affecting the video conferencing service Google Meet. The problem stems from Google converting URLs to product bundle-wide redirects. Wright, a Blog.
So what’s the problem?
Explicit redirects take you from one Google URL to another website selected by the person who created the link. When a link is sent to chat messages in a Google Meet session, it is converted into a Google Meet link.
“Clicking this link will take the user to the appropriate URL,” says Wright. “But that’s a problem because it suddenly became a great tool for phishing.”
Problem with Open Redirects
Part of the problem is that people often look at the beginning of a URL to assess whether a link is valid. On a link to the fake domain, the URL will appear as legitimate: meet.google.com. “Many people will wrongly assume that this link is legitimate,” says Wright.
Clicking the link will take you to a fake “Google login” page, Wright says on his blog. There are hints that it is fake – like “accounts-google.phishy.info” domain name and missing content. But Wright says: “Most people look at the URL before they click, not later.”
In addition to this, Wright says no authentication is required. “You may think this link was created during a Google Meet session, so at least you need to be authenticated and have a valid session. No! This works without any authentication and can be accessed by clicking the link.”
Also, while additional query parameters are generated in this connection when created in Google Meet, the vulnerability will work without them. “Worse, it can provide any parameters and they are simply ignored,” Wright says.
This is a problem because you can use it to help hide the redirect URL, he explains.
“This URL can often be truncated, or the user probably won’t pay attention to it. Phishers are incredibly creative and will undoubtedly take advantage of it.”
Google’s stance on Open Referrals
Wright reported the issue to Google but was denied. Google declined to comment on this story, but pointed me to its stance on referrals“Some members of the security community argue that redirectors help with phishing because users may be inclined to rely on a hover tooltip on a link and then fail to examine the address bar when the navigation takes place.
“Our approach to this is that tooltips are not a reliable indicator of security and can be tampered with in many ways; therefore, we invest in technologies to detect and alert users to phishing and abuse, but generally speaking, there are quite a few redirectors that are properly monitored. we think it offers clear benefits and carries little risk. “
However, Google acknowledges that some improperly designed redirectors may “cause more serious flaws” and trigger certain vulnerabilities that it sees as problems.
Google also notes that the Chrome browser offers features that detect when a user clicks on a malicious website, and Safe Browsing site status tool it helps people identify unsafe sites.
Wright says that Google’s Safe Browsing works, “but it seems like a manual process that requires people to report the site / domain.”
While Google doesn’t see this as an issue, Wright doesn’t agree. He says this type of phishing is “really hard to detect” because it can be masked so easily. However, a password manager and enabling two-factor authentication can help reduce risk.