=============================================
INTERNET SECURITY AUDITORS ALERT 2015-005
- Original release date: October 5, 2015
- Last revised:  October 15th, 2015
- Discovered by: Vicente Aguilera Diaz
- Severity: 2/5
=============================================

I. VULNERABILITY
-------------------------
URL Redirection to Untrusted Site ('Open Redirect') in Google generic
TLD and ccTLD

II. BACKGROUND
-------------------------
The generic TLD (www.google.com) and country code top-level domain
(ccTLD) are affected by this vulnerability.

III. DESCRIPTION
-------------------------
An open redirect is a vulnerability that occurs when an application
that takes a parameter and redirects a user to the parameter value
without any validation. This vulnerability is used for phishing
attacks for redirecting users to visit malicious sites without against
their will.

Google is affected by this vulnerability in the images search
functionality.

IV. PROOF OF CONCEPT
-------------------------
When a user search an image, generates a link as the following:

http://www.google.es/imgres?imgurl=http://weknowyourdreams.com/images/lizard/lizard-07.jpg&imgrefurl=http://weknowyourdreams.com/lizard.html&h=1200&w=1920&tbnid=1OhPmwC22CBC5M:&docid=UbceIEKQCmsGbM&ei=dQYdVt3QF8i3UcX4jfAO&tbm=isch&ved=0CDUQMygAMABqFQoTCJ3fsp7Gv8gCFchbFAodRXwD7g

The imgrefurl is not properly validated, so an open redirect can be
exploited through this parameter.

We can exclude some parameters in the GET request, because not affect
the expected results. Only this parameters are mandatory:
- imgrefurl: the vulnerable parameter
- tbnid: must have the ":" character in the last position
- docid: can have a null value

Reproduction steps:

1. The attacker generates a link that includes a malicious URL (for
example: www.isecauditors.com) in the "imgrefurl" parameter.

Example:
http://www.google.es/imgres?imgrefurl=http://www.isecauditors.com&tbnid=:&docid=

2. The Google response page contains a link to confirm the redirection
to the malicious URL.

Example:
...
La página en la que te encuentras te intenta dirigir a <a
href="/url?q=http://www.isecauditors.com&ust=1444061310739930&usg=AFQjCNF649gyi70n6zC89N2u_PLb1dd4dg">http://www.isecauditors.com</a>.

...

3. The attacker extract the previously generated URL with the new
parameters.

Example:
http://www.google.com/url?q=http://www.isecauditors.com&ust=1444061310739930&usg=AFQjCNF649gyi70n6zC89N2u_PLb1dd4dg

Now, The attacker have a time slot (several hours) where the request
does not ask for user confirmation, and redirects users to malicious URL.

V. BUSINESS IMPACT
-------------------------
The user may be redirected to an untrusted page that contains malware
which may then compromise the user's machine. This will expose the
user to extensive risk and the user's interaction with the web server
may also be compromised if the malware conducts keylogging or other
attacks that steal credentials, personally identifiable information
(PII), or other important data.
  
The user may be subjected to phishing attacks by being redirected to
an untrusted page. The phishing attack may point to an attacker
controlled web page that appears to be a trusted web site. The
phishers could then steal the user's credentials and then use these
credentials to access the legitimate web site.

VI. SYSTEMS AFFECTED
-------------------------
The generic TLD (www.google.com) and country code top-level domain
(ccTLD) are affected by this vulnerability.

VII. SOLUTION
-------------------------
This vulnerability have been corrected.

VIII. REFERENCES
-------------------------
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html

- OWASP: Open redirect
https://www.owasp.org/index.php/Open_redirect

See Proof of Concept of exploitation in our YouTube channel.

IX. CREDITS
-------------------------
This vulnerability has been discovered by Vicente Aguilera Diaz,
vaguilera (at) isecauditors (dot) com.

X. REVISION HISTORY
-------------------------
October 13, 2015: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
October 5, 2015:  Vulnerability acquired by
                  Internet Security Auditors (www.isecauditors.com)
October 5, 2015:  Vulnerability report send to Google.
October 5, 2015:  Google considers this bug is a duplicate of an
                  existing issue.
October 7, 2015:  Internet Security Auditors asks to be notified when
                  corrected, to publish the advisory once the bug have
                  been corrected.
October 8, 2015:  Google answers that they don't have a good way for
                  notifying researchers when duplicate findings are
                  fixed.
October 13, 2015: Internet Security Auditors confirm that the bug
                  has been corrected (Google did not communicated
                  anything about this to Internet Security Auditors)
October 15, 2015: Advisory published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.

XIV. FOLLOW US
-------------------------
You can follow Internet Security Auditors, news and security
advisories at:
https://www.facebook.com/ISecAuditors
https://twitter.com/ISecAuditors
http://www.linkedin.com/company/internet-security-auditors
http://www.youtube.com/user/ISecAuditors