Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities Can be Used by Spammers

google

 

Google DoubleClick.net (Advertising) System URL Redirection Vulnerabilities Could Be Used by Spammers

 

Although Google does not include Open Redirect vulnerabilities in its bug bounty program, its preventive measures against Open Redirect attacks have been quite thorough and effective to date.

 

However, Google might have overlooked the security of its DoubleClick.net ​advertising system. After some test, it is found that most of the redirection URLs within DoubleClick.net are vulnerable to Open Redirect vulnerabilities. Many redirection are likely to be affected. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

These redirections can be easily used by spammers, too.

 

Some URLs belong to Googleads.g.Doubleclick.net are vulnerable to Open Redirect attacks, too. While Google prevents similar URL redirections other than Googleads.g.Doubleclick.net. Attackers can use URLs related to Google Account to make the attacks more powerful.

 

Moreover, these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Yahoo, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security security bug problems have not been patched. Other similar web and computer attacks will be published in the near future.

 

 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

(1) Background Related to Google DoubleClick.net.

(1.1) What is DoubleClick.net?

DoubleClick is a subsidiary of Google which develops and provides Internet ad serving services. Its clients include agencies, marketers (Universal McCann, AKQA etc.) and publishers who serve customers like Microsoft, General Motors, Coca-Cola, Motorola, L’Oréal, Palm, Inc., Apple Inc., Visa USA, Nike, Carlsberg among others. DoubleClick’s headquarters is in New York City, United States.

 

DoubleClick was founded in 1996 by Kevin O’Connor and Dwight Merriman. It was formerly listed as “DCLK” on the NASDAQ, and was purchased by private equity firms Hellman & Friedman and JMI Equity in July 2005. In March 2008, Google acquired DoubleClick for US$3.1 billion. Unlike many other dot-com companies, it survived the dot-com bubble and focuses on uploading ads and reporting their performance.” (Wikipedia)

 

(1.2) Reports Related to Google DoubleClick.net Used by Spammers

(1.2.1)

Google DoublClick.net has been used by spammers for long time. The following is a report in 2008.

 

“The open redirect had become popular with spammers trying to lure users into clicking their links, as they could be made to look like safe URLs within Google’s domain.”
https://www.virusbtn.com/blog/2008/06_03a.xml?comments

 

(1.2.2)

Mitechmate published a blog related to DoubleClick.net spams in 2014.

 

Ad.doubleclick.net is recognized as a perilous adware application that causes unwanted redirections when surfing on the certain webpages. Actually it is another browser hijacker that aims to distribute frauds to make money.Commonly people pick up Ad.doubleclick virus when download softwares, browse porn site or read spam email attachments. It enters into computer sneakily after using computer insecurely.Ad.doubleclick.net is not just annoying, this malware traces users’ personal information, which would be utilized for cyber criminal.”
http://blog.mitechmate.com/remove-ad-doubleclick-net-redirect-virus/

 

(1.2.3)

Malwarebytes posted a news related to DoubleClick.net malvertising in 2014.

 

 

(2) DoubleClick.net System URL Redirection Vulnerabilities Details.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

Used webpages for the following tests. The webpage address is “http://securitypost.tumblr.com/“. We can suppose that this webpage is malicious.

 

 

(2.1) Vulnerable URLs Related to Googleads.g.Doubleclick.net.

(2.1.1)

Some URLs belong to googleads.g.doubleclick.net are vulnerable to Open Redirect attacks. While Google prevents similar URL redirection other than googleads.g.doubleclick.net.

 

Vulnerable URLs:

 

POC:

 

Attackers can make use of the following URLs to make the attacks more powerful, i.e.

 

POC:

 

 

(2.1.2)

While Google prevents similar URL redirection other than googleads.g.doubleclick.net , e.g.

 

 

 

(2.2) Vulnerable URLs Related to DoubleClick.net.

Vulnerable URLs 1:

 

POC:

 

Vulnerable URLs 2:

 

POC:

 

Vulnerable URLs 3:

 

POC:

 

 

We can see that Google DoubleClick.net has Open Redirect vulnerabilities and could be misused by spammers.

 

 

 

(2.3)

 

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Google has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

 

 

(3) Google DoubleClick.net Can Adversely Affect Other Websites.

At the same time, Google DoubleClick.net can be used to do “Covert Redirect” to other websites, such as Google, eBay, The New York Times, etc.(Bypass other websites’ Open Redirect filters)

 

 

(3.1) Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

Domain:
google.com

 

“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results. Google was founded by Larry Page and Sergey Brin while they were Ph.D. students at Stanford University. Together they own about 14 percent of its shares but control 56 percent of the stockholder voting power through supervoting stock. They incorporated Google as a privately held company on September 4, 1998. An initial public offering followed on August 19, 2004. Its mission statement from the outset was “to organize the world’s information and make it universally accessible and useful,” and its unofficial slogan was “Don’t be evil”. In 2004, Google moved to its new headquarters in Mountain View, California, nicknamed the Googleplex. The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy.” (Wikipedia)

 

Vulnerable URL:

 

POC:

 

More Details:

 

 

(3.2) eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

Domain:
ebay.com

 

“eBay Inc. (stylized as ebay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now” shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services. It is not a free website, but charges users an invoice fee when sellers have sold or listed any items.” (Wikipedia)

 

Vulnerable URL:

 

POC:

 

More Details:

 

 

(3.3) The New York Times (Nytimes.com) Covert Redirect Vulnerability Based on Google Doubleclick.net

Domain:
nytimes.com

 

“The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 114 Pulitzer Prizes, more than any other news organization. The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady”, The New York Times is long regarded within the industry as a national “newspaper of record”. It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times.” (Wikipedia)

 

Vulnerable URL:

 

POC:

 

More Details:

 

These vulnerabilities were reported to Google earlier in 2014. But it seems that Google has yet taken any actions. All of the vulnerabilities are still not patched.

 

 

 

 

Related Posts:
http://seclists.org/fulldisclosure/2014/Nov/28
https://cxsecurity.com/issue/WLB-2014110106
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1192
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01307.html
http://computerobsess.blogspot.com/2014/11/google-doubleclicknetadvertising-system.html=
http://www.techenet.com/2014/12/doubleclick-do-google-pode-ser-vulneravel-a-ataques/
https://computertechhut.wordpress.com/2014/11/12/google-doubleclick-spam/
http://mathpost.tumblr.com/post/120760828940/tetraph-google-doubleclick-net-advertising
http://tetraph.com/security/open-redirect/google-doubleclick-netadvertising-system
https://www.facebook.com/essayjeans/posts/838922772865543
https://plus.google.com/u/0/+essayjeans/posts/Y12x6gXfyFX
http://mathstopic.blogspot.com/2015/06/google-doubleclick-spam.html
http://itsecurity.lofter.com/post/1cfbf9e7_72fe79f
https://twitter.com/essayjeans/status/606726247578636288
http://tetraph.tumblr.com/post/120760676767/google-doubleclick-net-advertising-system-url
https://itinfotechnology.wordpress.com/2014/11/18/google-doubleclick-spam/
https://www.facebook.com/permalink.php?story_fbid=945171075538075
http://guyuzui.lofter.com/post/1ccdcda4_7305f25
http://tetraph.blog.163.com/blog/static/23460305120155534216326/
http://www.inzeed.com/kaleidoscope/spamming/google-doubleclick-spam/

 

 

互聯網登錄系統曝出重大漏洞 – Covert Redirect

Algerian-hacker
 

繼OpenSSL漏洞後,開源安全軟件再曝安全漏洞。新加坡南洋理工大學研究人員,物理和數學科學學院博士生王晶 (Wang Jing) 發現,OAuth 2.0, OpenID 授權接口的網站存隱蔽重定向漏洞、英文名為“Covert Redirect”。

 

攻擊者創建壹個使用真實站點地址的彈出式登錄窗口——而不是使用壹個假的域名——以引誘上網者輸入他們的個人信息。

 

黑客可利用該漏洞給釣魚網站“變裝”,用知名大型網站鏈接引誘用護登錄釣魚網站,壹旦用護訪問釣魚網站並成功登六授權,黑客即可讀取其在網站上存儲的私密信息。

 

騰訊,阿裏巴巴,QQ、新浪微博、淘寶網,支付寶,網易,PayPal, eBay, Amazon, Facebook、Google, LinkedIn, Yahoo, VK.com, Microsoft, Mail.ru, Github, WordPress 等國內外大量知名網站受影響。

 

鑒於OAuth和OpenID被廣泛用於各大公司——如微軟、Facebook、Google、以及 LinkedIn——Wang表示他已經向這些公司已經了匯報。Wang聲稱,微軟已經給出了答復,調查並證實該問題出在第三方系統,而不是該公司的自 有 站點。Facebook也表示,“短期內仍無法完成完成這兩個問題的修復工作,只得迫使每個應用程序平臺采用白名單”。至於Google,預計該公司 會追 蹤OpenID的問題;而LinkedIn則聲稱它將很快在博客中說明這壹問題。

 

OAuth 是壹個被廣泛應用的開放登六協議,允許用護讓第三方應用訪問該用護在某壹網站上存儲的私密的信息(如照片,視頻,聯系人列表),而無需將用護名和密碼提供給第三方應用。這次曝出的漏洞,可將Oauth2.0的使用方(第三方網站)的回跳域名劫持到惡意網站去,黑客利用XSS漏洞攻擊就能隨意操作被授權的帳號,讀取用護的隱私信息。像騰訊、新浪微博等社交網站壹般對登六回調地址沒有任何限制,極易遭黑客利用。

 

 

 

相關資料,
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
http://tech.firstpost.com/news-analysis/after-heartbleed-major-covert-redirect-flaw-threatens-oauth-openid-and-the-internet-222945.html
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
http://techxplore.com/news/2014-05-math-student-oauth-openid-vulnerability.html
http://phys.org/news/2014-05-math-student-oauth-openid-vulnerability.html
http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html
http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html
http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html
http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/
http://blog.kaspersky.com/facebook-openid-oauth-vulnerable/
http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/
http://network.pconline.com.cn/471/4713896.html
http://media.sohu.com/20140504/n399096249.shtml/
http://it.people.com.cn/n/2014/0504/c1009-24969253.html
http://www.cnbeta.com/articles/288503.htm
http://www.inzeed.com/kaleidoscope/computer-security/oauth-2-0-and-openid-covert-redirect/
http://baike.baidu.com/link?url=0v9QZaGB09ePxHb70bzgWqlW-C9jieVguuDObtvJ_6WFY3h2vWnnjNDy4-jliDmqbT47SmdGS1_pZ4BbGN4Re_
http://itinfotech.tumblr.com/post/118850342491/covert-redirect
http://tetraph.com/covert_redirect/
http://ittechnology.lofter.com/post/1cfbf60d_6f09f58
https://zh.wikipedia.org/wiki/%E9%9A%B1%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E
http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E
http://www.csdn.net/article/2014-05-04/2819588