The New York Times( Covert Redirect Vulnerability Based on Google


The vulnerability exists at “adx_click.html?” page with “&goto” parameter, i.e.




The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.



(1) When a user is redirected from Nytimes to another site, Nytimes will check parameters “&sn1″ and “&sn2″. If the redirected URL’s domain is OK, Nytimes will allow the reidrection.


However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Nytimes to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Nytimes directly.




One of the vulnerable domain is, (Google’s Ad website)





(2) Use one of webpages for the following tests. The webpage address is “”. We can suppose that this webpage is malicious.




Vulnerable URL:








Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)