Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net
-- Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net
(1) WebSite:
google.com
"Google
is an American multinational technology company specializing in
Internet-related services and products. These include online advertising
technologies, search, cloud computing, and software. Most of its
profits are derived from AdWords, an online advertising service that
places advertising near the list of search results.
The
corporation has been estimated to run more than one million servers in
data centers around the world (as of 2007). It processes over one
billion search requests and about 24 petabytes of user-generated data
each day (as of 2009). In December 2013, Alexa listed google.com as the
most visited website in the world. Numerous Google sites in other
languages figure in the top one hundred, as do several other
Google-owned sites such as YouTube and Blogger. Its market dominance has
led to prominent media coverage, including criticism of the company
over issues such as search neutrality, copyright, censorship, and
privacy." (Wikipedia)
(2) Vulnerability Description:
Google web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.
The vulnerability exists at "Logout?" page with "&continue" parameter, i.e.
The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.
(2.1) When
a user is redirected from Google to another site, Google will check
whether the redirected URL belongs to domains in Google's whitelist (The
whitelist usually contains websites belong to Google), e.g.
docs.google.com
googleads.g.doubleclick.net
If this is true, the redirection will be allowed.
However,
if the URLs in a redirected domain have open URL redirection
vulnerabilities themselves, a user could be redirected from Google to a
vulnerable URL in that domain first and later be redirected from this
vulnerable site to a malicious site. This is as if being redirected from
Google directly.
One of the vulnerable domain is,
googleads.g.doubleclick.net (Google's Ad System)
(2.2) Use one webpage for the following tests. The webpage address is "http://www.inzeed.com/kaleidoscope ". We can suppose that this webpage is malicious.
Vulnerable URL:
POC:
POC Video:
(3) What is Covert Redirect?
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and
redirects a user to the parameter value without sufficient validation.
This often makes use of Open Redirect and XSS vulnerabilities
in third-party applications.
Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Almost
all OAuth 2.0 and OpenID providers worldwide are affected. Covert
Redirect was found and dubbed by a Mathematics PhD student Wang Jing
from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.
After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.
After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.
Discover and Reporter:
Wang
Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University
(NTU), Singapore. (@justqdjing)
More Details:
No comments:
Post a Comment