Ask HN: Why does Google still provide an open redirect for phishers?
16 points
1 day ago
| 3 comments
| HN
Google offers a page on https://google.com/url?q=https://news.ycombinator.com/item?id=46613684 that works as an open redirect to any site since at least March 2025 [1].

As such, it often gets used by phishers to piggy-back on the domain reputation of Google by either human actors safety-squinting the domain name or systems that allowlist Google.

Google has often had open redirect problems, for example around AMP, but these seemed to be unintentional and were removed after some time. However, this google.com/url naming scheme almost seems intentional.

This is in contradiction with their own advice (2009) around open redirects [2].

Does anyone know why Google keeps this working, thereby facilitating phishers?

[1] https://www.intego.com/mac-security-blog/scammers-using-new-trick-in-phishing-text-messages-google-redirects/

[2] https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being

egberts1
2 hours ago
[-]
No notice for:

- Linux, Debian 12, Firefox - Linux, Gentoo, Waterfox - Linux, Mint, DuckDuckGo - iOS, DuckDuckGo - BSD, terminal, Lynx

reply
r_lee
7 hours ago
[-]
Not to mention all the translate.google.com redirects that get indexed in Google, but Google says nothing is wrong and wontfix
reply
ravshan
2 hours ago
[-]
Can you clarify what do you mean by that?
reply
jprezant
1 day ago
[-]
I don't think Google would consider this an open redirect. It displays a notice and requires user interaction.
reply
throwaway89201
1 day ago
[-]
It doesn't for me at all. If I go to the URL I provided in the OP, the Google server responds with a 301 status code and Location header. Both when logged into a Google account and without logging in. Strange that it behaves in a different way (?) for you.

It will probably filter the URL through Google Safe Browsing, but that doesn't help much for phishing as they mostly use new or reputable domains, and browsers check that list on default settings anyway.

reply
blahlabs
2 hours ago
[-]
Using Vanadium on grapheneos and I get

"The page you were on is trying to send you to https://news.ycombinator.com/item?id=46613684.

If you do not want to visit that page, you can return to the previous page."

reply
BenjiWiebe
7 hours ago
[-]
Doesn't show a notice or require user interaction for me.

Android, mobile Firefox.

reply
andreareina
5 hours ago
[-]
Firefox 146 on Arch, no notice just got redirected right away.
reply