Google Search and Evil Redirects

May 23, 2018

This morning I woke up to find a random Skype message from a friend whose Skype account had been compromised. Like most spam messages this one contained a URL. However, what is intriguing about this URL is that it is a genuine Google link that looks reasonably trustworthy (if you ignore the suspicious-looking URL-encoded part!) but actually redirects the user to an entirely different site via Google but without stopping to warn them along the way.

The URL I received was similar to this one:

https://www.google.com/url?sa=t&url=%68%74%74%70%3A%2F%2F%31%32%33%66%69%6E%64%2E%69%6E%66%6F%2F%33%2F&usg=AOvVaw2NmGTjw4qyuRp7uXZVjhcc#icosysezaw

The version I received had two additional parameters, one of which was a five digit number and the other was my Skype ID. I haven't tried the version with my Skype ID, but I imagine it would do much the same thing. Clicking on the link redirects the user via several sites to a site advertising a get-rich-quick scheme. In this case, nothing too scary, but then again, I didn't check to see if the site contained malware or other nasties.

Decoding the URL-encoded portion results in a link that looks like this:

https://www.google.com/url?sa=t&url=http://123find.info/3/&usg=AOvVaw2NmGTjw4qyuRp7uXZVjhcc#icosysezaw

What is really troubling about this URL is that it starts with https://www.google.com. The reason I say it's troubling is that I have just spent months training users not to click on any link that isn't HTTPS and/or doesn't look like a legimitate domain, yet here we have a URL that should, according to what I've been telling users, be totally safe to click, except it isn't, because it redirects users without warning to a completely different site.

I spent some time investigating this issue but was unable to find either a definitive specification for Google Search URL parameters or any coverage on this particular issue, which seems strange given the severity of the issue. Perhaps I wasn't using the right search terms. I tried crafting my own URL that would automatically redirect to another site, but Google would bring up a page informing me that I was being redirected. What I really want to know is which of the parameters in the URL result in the redirection being direct, without notification?

If you know how this automatic redirection works, or where the definitive docs are for the Google Search URL parameters and/or have any idea why Google is allowing this kind of thing to happen, please drop me a line via my contact page, as this seems like a fairly serious security issue and I don't understand why Google makes it possible. Even if Google knows this is possible, surely they wouldn't consider it desirable, would they?

Yet Another Programming Blog

Where James Gordon rambles about PHP and web development in general.

Find me on Twitter Find me on Stack Exchange Find me on Github Subscribe