[flipp3r]

> And the problem seems to have been fixed. When I search for chrome download on Bing, the top result is https://www.google.com/chrome.

Which could be faked, as seen in the referenced tweet: https://twitter.com/GabrielLandau/status/1055300918101598208 Yes, they show the word "Ad", alongside the domain name "google.com" - except the user doesn't end up on "google.com".

[anonred]

Perhaps the ad was using one of the Google redirect tricks? There’s a few google.com endpoints (if I recall) that you can abuse to redirect to arbitrary URLs.

[Sephr]

At first I suspected this as well, but apparently it was a link to itracking[.]services and Bing pre-resolved the redirect chain.

You can spoof any domain you want in Bing Ads without needing an open redirect.

[edoceo]

> You can spoof any domain you want in Bing Ads without needing an open redirect.

Is that a bug or a feature? It seems like the kind of thing that could erode user trust

[ocdtrekkie]

It's a feature, Google allows the same. Basically advertisers want to set the links to be tracking links and stuff which may be through third parties which then redirect to their site.

So both ad services allow the advertiser to display one URL while directing users to another.

[adanto6840]

Surely they're doing some verification to ensure that either the redirect lands on the advertised TLD, or alternatively that you're at least "in control" of the TLD you're advertising as (similar to GAnalytics verification -- via meta tag, DNS txt entry, etc)?

[utopcell]

Google does.

[larkeith]

Data point: For me, the first result for 'download Chrome' is a legitimate ad that directs to google.com