A marketing server at adwords.google.com operated an open redirect.
Google’s main AdWords landing page takes a cd parameter indicating a specific country to target, which redirects to a country-specific page. Examples of such URL are as follows:
The cd parameter which specifies the country was not checked against a valid list of values. Instead, this parameter is used to replace the “com” value in the URL with the value from the cd parameter. For example:
This can be used to redirect users to a malicious page. Example URL with malicious content:
The vendor communicated that they consider this a low level attack, and do not plan to track a fix for this issue. However, we have since confirmed that this issue has been fixed prior to publication.
Google Security CID: 9–6197000008153
Google’s view on open directs: https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect
Discovered and written by Yakov Shafranovich
2015–08–07: Vendor notified
2015–08–07: Initial vendor response
2015–08–11: Vendor replicated the issue
2015–09–05: Follow up communications with vendor
2015–09–20: Fix confirmed
2015–10–12: Public disclosure
2016–03–14: Updated disclosure posted