Hacker News new | ask | show | jobs
by wtracy 2727 days ago
A decade ago people were using Google redirects to lure people into visiting shock sites.

Back then, it seemed reasonable to not consider this a real security flaw. Now that everyone has a Google account, the possibility of credential theft seems like something worth taking seriously.

At the very least, either host the redirect on a domain that is clearly distinct from the domain users log into, or ignore the destination parameter if the referrer is not a trusted source.

Now I'm wondering if this is also a potential vector for DDoS attacks against a third party. Widely distribute links "to a cute puppy on Instagram" that redirect to a URL that triggers a resource-intensive search operation on the victim's server? (Bonus points if the redirect points to a page that loads an actual cute puppy in one frame, and targets the victim with a 1-pixel frame.)

It sounds like a stretch, but I can't rule the possibility out. Even if it can't be used to launch a DDoS, I could see it being used for advertising fraud.
1 comments
geofft 2727 days ago
> Now that everyone has a Google account, the possibility of credential theft seems like something worth taking seriously.

Not sure I follow - is the idea to redirect from google.com to an attacker's site that spoofs the Google login page? I think we'll get more mileage out of solving that with origin-aware authentication mechanisms (password managers, U2F, WebAuthn, etc.) and perhaps address bars that show the eTLD+1 instead of / more prominently than the full URL. Phishing is already a problem even without open redirects.

> Widely distribute links "to a cute puppy on Instagram" that redirect to a URL that triggers a resource-intensive search operation on the victim's server?

Keep in mind that unrelated web pages can send GET requests to each other by just using an image tag, so if your website has a resource-intensive search delivered over GET and no automation to detect suspicious behavior and spikes in certain types of requests, you're already vulnerable to this via e.g. someone submitting an interesting blog page to HN that loads youe search page as a resource. Either make it POST or add some HTTP-level DDoS protection a la Cloudflare.

Same with advertising fraud - ad clicks should be POSTs. (Open POST redirects do seem more dangerous but are probably rare.)

link
wtracy 2726 days ago
Relying on your customers to use password managers to protect themselves is not very useful in the Eternal September age of the internet. (I do see your point that a Google redirect is only marginally more likely to be effective for phishing than a link to something like goegle.com.)

Everything else in your comment is spot on.

link