[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open redirect on Google.com
An open redirect is operating at www.google.com
Google?s main website provides a subsite for displaying mobile-optimized pages published using a special subset of HTML called AMP. While this works for mobile devices, for non-mobile devices, this redirects to the original site, thus resulting in an open redirect.
The subsite operates at the following URL:
where XXXX is the URL of the site.
Here is an example of a legit URL ? in mobile browsers this would display the actual article (this can simulated using Chrome?s developer tools):
HOWEVER, on non-mobile devices this would redirect to:
The vendor communicated that they do not consider open redirects to be a security issue
Google Security CID: 7?2623000011032
AMP site: https://www.ampproject.org/
Vendor?s view on open directs: https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect
2016?04?07: Vendor notified
2016?04?07: Vendor response
2016?04?11: Public disclosure