Overview

A marketing server at adwords.google.com operated an open redirect.

Background

Google’s main AdWords landing page takes a cd parameter indicating a specific country to target, which redirects to a country-specific page. Examples of such URL are as follows:

Canada: https://adwords.google.com/?cd=ca
France: https://adwords.google.com/?cd=fr
Russia: https://adwords.google.com/?cd=ru

Details

The cd parameter which specifies the country was not checked against a valid list of values. Instead, this parameter is used to replace the “com” value in the URL with the value from the cd parameter. For example:

https://adwords.google.com/?cd=fr

becomes

https://www.google.fr/adwords/

This can be used to redirect users to a malicious page. Example URL with malicious content:

https://adwords.google.com/?cd=some.evil.site.com

Redirects to:

https://www.google.some.evil.site.com/adwords/

The vendor communicated that they consider this a low level attack, and do not plan to track a fix for this issue. However, we have since confirmed that this issue has been fixed prior to publication.

References

Google Security CID: 9–6197000008153
Google’s view on open directs: https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect

Credits

Discovered and written by Yakov Shafranovich

Timeline

2015–08–07: Vendor notified
2015–08–07: Initial vendor response
2015–08–11: Vendor replicated the issue
2015–09–05: Follow up communications with vendor
2015–09–20: Fix confirmed
2015–10–12: Public disclosure

2016–03–14: Updated disclosure posted