| I recently came across an open redirect vulnerability within Google's interface. After thorough testing and verification, I reported this issue to Google, adhering to the principles of responsible disclosure. However, to my surprise, the response was that they would not address this issue (categorized as "won't fix"). While I understand the complexity and challenges involved in addressing every reported vulnerability, I believe this particular issue warrants further attention due to its potential implications. The vulnerability involves manipulation of URL parameters in a way that could mislead users into believing they are accessing a safe Google link, while in reality, they're redirected to an untrusted site belonging to the attacker. This scenario raises concerns, especially considering the trust users place in URLs containing familiar domain names like Google's. To be clear, I have not shared any explicit details or steps on how to exploit this vulnerability, as my intention is not to enable malicious use. What advice and perspective on the following: 1/ Has anyone else encountered similar responses when reporting vulnerabilities to major tech companies? 2/ What would be the recommended course of action to ensure that such potential security issues are taken seriously and addressed appropriately? 3/ Are there any additional steps I can take to advocate for the responsible resolution of such issues, considering the initial response? Thank you for your time and thoughts. |
So let everyone else know. Either people will agree with Google and this wasn’t a big issue, or they’ll agree with you and criticise Google. From the latter, either they will fix it or they won’t but everyone else wins because they either know to not trust Google because of a known vulnerability or the problem will no longer be.
But keeping this a secret for long will be harmful. If you found it, bad actors can too. For all we know this is being exploited today.