As mentioned earlier in one of my thread (http://hackforums.net/showthread.php?tid=5044562) I reported a bug in the param 'q' which can be used to generate visitors/bots with fake keywords, that not even Analytics can detect. Since there's no actual fix to the bug according to Google, I had to post a thread. I wrote them everything they needed to know about the bug, solution to fix it and the reproduction steps, including a proof-of-concept video.
Reproduction steps:
1. Suppose I want to send traffic to my client. Let's say his website is onlinecarsblog . com or whatever. Of course he wants targeted traffic, and what's more convincing than traffic coming straight from Google with the keyword "Buy Cars, etc."? Well, here's the trick.
2. This is the URL; www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CBoQFjAAahUKEwjVr6fbvfTIAhUJmJQKHYYeAqA&url=https%3A%2F%2Fwww.facebook.com%2F&usg=AFQjCNGug_CqO9cxLI8dHdn-CceO8_ie5w (I'm using Facebook link's as an example.)
3. The "q=" query determines the keyword that Analytics or any other traffic stats' website will show. So if you change it to "something", traffic will be shown to be coming from Google with the keyword "something".
4. "usg" is a unique id for each URL. facebook . com will have "usg=AFQjCNGug_CqO9cxLI8dHdn-CceO8_ie5w" and facebook.com/anything will have a different unique usg. So don't mess with it unless you know what you're doing.
Attack scenario:
An attacker can use this to manipulate stats in Analytics.
Proof of Concept:
In my video I have demonstrated how this can be used to manipulate Analytics to show visitors/bots with fake keyword.
Google's Response:
When I first reported this to Google these were the responds to my emails.
Open-redirect issue -
I had also found another param bug which could lead to open-redirect issue once the user logs in. An attacker/hacker could use it to redirect the victim to it's phishing page, or inject an exploit hosted on it's server. Not only the same URL had open-redirect issue but it would try to POST another param with some data that one could log, but it was useless according to GOOGLE. As of now I choose not to discuss it much. Once it get's fixed, I'll update the post with information on how I managed to do it. Google respond:
When I described it as an open-redirect issue, and use it to describe a phishing scenario, this is what they responded with:
Do you like this post? Please link back to this article by copying one of the codes below.
URL: HTML link code: BB (forum) link code:Last Modified: 12 December, 2015
0 comments:
Post a Comment