Google DoubleClick.net (Advertising) System URL Redirection Vulnerabilities Could Be Used by Spammers
Although
Google does not include Open Redirect vulnerabilities in its bug bounty
program, its preventive measures against Open Redirect attacks have
been quite thorough and effective to date.
However, Google might have overlooked the security of its DoubleClick.net
These redirections can be easily used by spammers, too.
Some URLs belong to Googleads.g.Doubleclick.net
Moreover,
these vulnerabilities can be used to attack other companies such as
Google, eBay, The New York Times, Amazon, Godaddy, Yahoo, Netease, e.g.
by bypassing their Open Redirect filters (Covert Redirect).
Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/
http://www.tetraph.com/
(1) Background Related to Google DoubleClick.net.
(1.1) What is DoubleClick.net?
"DoubleClick
is a subsidiary of Google which develops and provides Internet ad
serving services. Its clients include agencies, marketers (Universal
McCann, AKQA etc.) and publishers who serve customers like Microsoft,
General Motors, Coca-Cola, Motorola, L'Oréal, Palm, Inc., Apple Inc.,
Visa USA, Nike, Carlsberg among others. DoubleClick's headquarters is in
New York City, United States.
DoubleClick
was founded in 1996 by Kevin O'Connor and Dwight Merriman. It was
formerly listed as "DCLK" on the NASDAQ, and was purchased by private
equity firms Hellman & Friedman and JMI Equity in July 2005. In
March 2008, Google acquired DoubleClick for US$3.1 billion. Unlike many
other dot-com companies, it survived the dot-com bubble and focuses on
uploading ads and reporting their performance." (Wikipedia)
(1.2) Reports Related to Google DoubleClick.net Used by Spammers
(1.2.1)
Google DoublClick.net has been used by spammers for long time. The following is a report in 2008.
"The
open redirect had become popular with spammers trying to lure users
into clicking their links, as they could be made to look like safe URLs
within Google's domain."
(1.2.2)
Mitechmate published a blog related to DoubleClick.net spams in 2014.
"Ad.doubleclick.net is
recognized as a perilous adware application that causes unwanted
redirections when surfing on the certain webpages. Actually it is
another browser hijacker that aims to distribute frauds to make
money.Commonly people pick up Ad.doubleclick virus when download
softwares, browse porn site or read spam email attachments. It enters
into computer sneakily after using computer insecurely.Ad.
(1.2.3)
Malwarebytes posted a news related to DoubleClick.net malvertising in 2014.
"Large malvertising campaign under way involving DoubleClick and Zedo"
(2) DoubleClick.net System URL Redirection Vulnerabilities Details.
The
vulnerabilities can be attacked without user login. Tests were
performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla
Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064
(64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.
Used webpages for the following tests. The webpage address is "http://securitypost.tumblr.com/". We can suppose that this webpage is malicious.
(2.1) Vulnerable URLs Related to Googleads.g.Doubleclick.net
(2.1.1)
Some URLs belong to googleads.g.doubleclick.net
Vulnerable URLs:
POC:
Attackers can make use of the following URLs to make the attacks more powerful, i.e.
POC:
(2.1.2)
While Google prevents similar URL redirection other than googleads.g.doubleclick.
(2.2) Vulnerable URLs Related to DoubleClick.net.
Vulnerable URLs 1:
POC:
Vulnerable URLs 2:
POC:
Vulnerable URLs 3:
POC:
...
We can see that Google DoubleClick.net has Open Redirect vulnerabilities and could be misused by spammers.
(2.3)
POC Video:
Several
other similar products 0-day vulnerabilities have been found by some
other bug hunter researchers before. Google has patched some of
them. BugTraq is a full disclosure moderated mailing list for the
*detailed* discussion and announcement of computer security
vulnerabilities: what they are, how to exploit them, and how to fix
them. The below things be posted to the Bugtraq list: (a) Information on
computer or network related security vulnerabilities (UNIX, Windows NT,
or any other). (b) Exploit programs, scripts or detailed processes
about the above. (c) Patches, workarounds, fixes. (d) Announcements,
advisories or warnings. (e) Ideas, future plans or current works dealing
with computer/network security. (f) Information material regarding
vendor contacts and procedures. (g) Individual experiences in dealing
with above vendors or security organizations. (h) Incident advisories or
informational reporting. (i) New or updated security tools. A large
number of the fllowing web securities have been published here, Buffer
overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection,
Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated
Redirects and Forwards, Information Leakage, Denial of Service, File
Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal,
HTML Injection, Spam. It also publishes suggestions, advisories,
solutions details related to Open Redirect vulnerabilities and cyber
intelligence recommendations.
(3) Google DoubleClick.net Can Adversely Affect Other Websites.
At the same time, Google DoubleClick.net can be used to do "Covert Redirect" to other websites, such as Google, eBay, The New York Times, etc.(Bypass other websites' Open Redirect filters)
(3.1) Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net
Domain:
google.com
"Google
is an American multinational technology company specializing in
Internet-related services and products. These include online advertising
technologies, search, cloud computing, and software. Most of its
profits are derived from AdWords, an online advertising service that
places advertising near the list of search results. Google was founded
by Larry Page and Sergey Brin while they were Ph.D. students at Stanford
University. Together they own about 14 percent of its shares but
control 56 percent of the stockholder voting power through supervoting
stock. They incorporated Google as a privately held company on September
4, 1998. An initial public offering followed on August 19, 2004. Its
mission statement from the outset was "to organize the world's
information and make it universally accessible and useful," and its
unofficial slogan was "Don't be evil". In 2004, Google moved to its new
headquarters in Mountain View, California, nicknamed the Googleplex. The
corporation has been estimated to run more than one million servers in
data centers around the world (as of 2007). It processes over one
billion search requests and about 24 petabytes of user-generated data
each day (as of 2009). In December 2013, Alexa listed google.com as the
most visited website in the world. Numerous Google sites in other
languages figure in the top one hundred, as do several other
Google-owned sites such as YouTube and Blogger. Its market dominance has
led to prominent media coverage, including criticism of the company
over issues such as search neutrality, copyright, censorship, and
privacy." (Wikipedia)
Vulnerable URL:
POC:
More Details:
Video:
Blog:
(3.2) eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net
Domain:
ebay.com
"eBay
Inc. (stylized as ebay) is an American multinational corporation and
e-commerce company, providing consumer to consumer & business to
consumer sales services via Internet. It is headquartered in San Jose,
California, United States. eBay was founded by Pierre Omidyar in 1995,
and became a notable success story of the dot-com bubble. Today, it is a
multi-billion dollar business with operations localized in over thirty
countries. The company manages eBay.com, an online auction and shopping
website in which people and businesses buy and sell a broad variety of
goods and services worldwide. In addition to its auction-style sales,
the website has since expanded to include "Buy It Now" shopping;
shopping by UPC, ISBN, or other kind of SKU (via Half.com); online
classified advertisements (via Kijiji or eBay Classifieds); online event
ticket trading (via StubHub); online money transfers (via PayPal) and
other services. It is not a free website, but charges users an invoice
fee when sellers have sold or listed any items." (Wikipedia)
Vulnerable URL:
POC:
More Details:
Video:
Blog:
(3.3) The New York Times (Nytimes.com) Covert Redirect Vulnerability Based on Google Doubleclick.net
Domain:
nytimes.com
"The
New York Times (NYT) is an American daily newspaper, founded and
continuously published in New York City since September 18, 1851, by the
New York Times Company. It has won 114 Pulitzer Prizes, more than any
other news organization. The paper's print version has the largest
circulation of any metropolitan newspaper in the United States, and the
second-largest circulation overall, behind The Wall Street Journal. It
is ranked 39th in the world by circulation. Following industry trends,
its weekday circulation has fallen to fewer than one million daily since
1990. Nicknamed for years as "The Gray Lady", The New York Times is
long regarded within the industry as a national "newspaper of record".
It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr.,
(whose family (Ochs-Sulzberger) has controlled the paper for five
generations, since 1896), is both the paper's publisher and the
company's chairman. Its international version, formerly the
International Herald Tribune, is now called the International New York
Times." (Wikipedia)
Vulnerable URL:
POC:
More Details:
Video:
Blog:
These
vulnerabilities were reported to Google earlier in 2014. But it seems
that Google has yet taken any actions. All of the vulnerabilities are
still not patched.
Related Posts:
No comments:
Post a Comment