Google Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

 

 

 

 

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

-- Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

(1) WebSite:

google.com

"Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results.

The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy." (Wikipedia)

(2) Vulnerability Description:

Google web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks. 

The vulnerability exists at "Logout?" page with "&continue" parameter, i.e.

https://www.google.com/accounts/Logout?service=writely&continue=https://googleads.g.doubleclick.net

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

(2.1) When a user is redirected from Google to another site, Google will check whether the redirected URL belongs to domains in Google's whitelist (The whitelist usually contains websites belong to Google), e.g.

docs.google.com

googleads.g.doubleclick.net

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection  vulnerabilities themselves, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Google directly.

One of the vulnerable domain is,

googleads.g.doubleclick.net (Google's Ad System)

(2.2) Use one webpage for the following tests. The webpage address is "http://www.inzeed.com/kaleidoscope". We can suppose that this webpage is malicious.

Vulnerable URL:

https://www.google.com/accounts/Logout?service=writely&continue=https://google.com/

POC:

https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.inzeed.com%2Fkaleidoscope

POC Video:

https://www.youtube.com/watch?v=btuSq89khcQ&feature=youtu.be

Blog Detail:
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html

(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.


After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196.  X-Force reference number is 93031.

Discover and Reporter:

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://tetraph.com/wangjing/

More Details:

http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html

http://seclists.org/fulldisclosure/2014/Nov/29

http://cxsecurity.com/issue/WLB-2014110106

http://tetraph.blog.163.com/blog/static/23460305120141145350181/

https://infoswift.wordpress.com/2014/05/25/google-web-security/

http://tetraph.tumblr.com/post/119490394042/securitypost#notes

http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html

http://webtech.lofter.com/post/1cd3e0d3_706af10

https://twitter.com/tetraphibious/status/559165319575371776

http://tetraph.com/security/covert-redirect/google-based-on-googleads-g-doubleclick-net/

http://www.inzeed.com/kaleidoscope/computer-security/google-covert-g-doubleclick-net/

https://hackertopic.wordpress.com/2014/05/25/google-web-security/