HACKER Q&A
📣 marmotteio

I found an open-redirect vulnerability in Google, but they won't fix


I recently came across an open redirect vulnerability within Google's interface. After thorough testing and verification, I reported this issue to Google, adhering to the principles of responsible disclosure. However, to my surprise, the response was that they would not address this issue (categorized as "won't fix").

While I understand the complexity and challenges involved in addressing every reported vulnerability, I believe this particular issue warrants further attention due to its potential implications.

The vulnerability involves manipulation of URL parameters in a way that could mislead users into believing they are accessing a safe Google link, while in reality, they're redirected to an untrusted site belonging to the attacker. This scenario raises concerns, especially considering the trust users place in URLs containing familiar domain names like Google's.

To be clear, I have not shared any explicit details or steps on how to exploit this vulnerability, as my intention is not to enable malicious use.

What advice and perspective on the following:

1/ Has anyone else encountered similar responses when reporting vulnerabilities to major tech companies?

2/ What would be the recommended course of action to ensure that such potential security issues are taken seriously and addressed appropriately?

3/ Are there any additional steps I can take to advocate for the responsible resolution of such issues, considering the initial response?

Thank you for your time and thoughts.

  👤 latexr Accepted Answer ✓
Ultimately you may find that the best course of action is to publish your findings to the wider web. You reported it to the ones who can fix it and they dismissed it as unimportant, thus they are signaling to you there is no harm in talking about it.

So let everyone else know. Either people will agree with Google and this wasn’t a big issue, or they’ll agree with you and criticise Google. From the latter, either they will fix it or they won’t but everyone else wins because they either know to not trust Google because of a known vulnerability or the problem will no longer be.

But keeping this a secret for long will be harmful. If you found it, bad actors can too. For all we know this is being exploited today.

👤 TheTxT
Those redirect URLs under googles domain are part of every search results page, so my question would be how the vulnerability you found is creating more dangers than the existing mechanism. That is probably the reason why google won't fix it, because they have already accepted the risk to facilitate better tracking of users.
👤 palata
Isn't the idea of responsible disclosure to give them some time to fix, and to publish after they have had enough time to fix (or in this case decide not to fix)?

According to Wikipedia [1]:

"In computer security, coordinated vulnerability disclosure (CVD, formerly known as responsible disclosure)[1] is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue."

and when it comes to Google:

"Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix."

In other words, I think they would publish a vulnerability they would find in your software (after the disclosure deadline). Why wouldn't you do the same for them?

[1]: https://en.wikipedia.org/wiki/Coordinated_vulnerability_disc...