0

Google recently announced a 'quiz' - more of a tutorial - on identifying phishing email: https://phishingquiz.withgoogle.com

It includes a sample URL: https://google.com/amp/tinyurl.com/y7u8ewlr

When followed this is converted into: https://www.google.com/url?q=http://tinyurl.com/y7u8ewlr and a Redirect Notice page is shown with this content:

The page you were on is trying to send you to http://tiny url.com/y7u8ewlr. If you do not want to visit that page, you can return to the previous page.

Following tinyurl link takes you to a Jigsaw page - Jigsaw and google seem to have cooperated in producing this quiz.

Putting in any schemeless domain name and optional resources (eg. ibm.com) work as well. https://www.google.com/amp/ibm.com

Why might google.com perform these redirections? Are they a security risk (as they can make any URL appear to be from google)?

Philipp
  • 48,867
  • 8
  • 127
  • 157
philcolbourn
  • 269
  • 2
  • 8

1 Answers1

3

Google's FAQ about this topic includes:

[...] Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place.

Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.

They apparently have sufficient business reason to offer the redirects to continue offering it as a service, and dealing with the fallout from offering it.

sarnold
  • 721
  • 4
  • 7