As a follow up to our previous article: The Google Open Redirect is also being used for Spam-Emails. Although these mechanisms are well-known, Google considers this not to be a problem.
Google: „Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place.
Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk. We think the issue might not be severe enough for us to track it as an abuse risk.“
Here is another one:
That this technique lets Spam-Emails pass through the detection doesn’t seem to be an issue to Google. The claim that theser redirectors are „properly monitored“ doesn’t seem to be true. It would be very easy to make these redirects secure e.g. with an additional hash value – hopefully consequent reporting of these issues will make a change.