提问 HN:为什么 Google 仍然为钓鱼者提供开放重定向?
2 分•作者: throwaway89201•6 个月前
谷歌在其页面 https://google.com/url?q=https://news.ycombinator.com/item?id=46613684 上提供了一个开放重定向功能,该功能至少从 2025 年 3 月开始就可以将用户重定向到任何网站 [1]。
因此,它经常被钓鱼者利用,借用谷歌的域名声誉,欺骗那些仅仅扫一眼域名的人类用户,或者欺骗允许谷歌域名通过的系统。
谷歌经常遇到开放重定向问题,例如在 AMP 方面,但这些问题似乎是无意的,并在一段时间后被移除。然而,这种 google.com/url 命名方案几乎像是故意的。
这与他们自己关于开放重定向的建议(2009 年)相矛盾 [2]。
有人知道为什么谷歌一直保留这个功能,从而方便了钓鱼者吗?
[1] https://www.intego.com/mac-security-blog/scammers-using-new-trick-in-phishing-text-messages-google-redirects/
[2] https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being
查看原文
Google offers a page on https://google.com/url?q=https://news.ycombinator.com/item?id=46613684 that works as an open redirect to any site since at least March 2025 [1].<p>As such, it often gets used by phishers to piggy-back on the domain reputation of Google by either human actors safety-squinting the domain name or systems that allowlist Google.<p>Google has often had open redirect problems, for example around AMP, but these seemed to be unintentional and were removed after some time. However, this google.com/url naming scheme almost seems intentional.<p>This is in contradiction with their own advice (2009) around open redirects [2].<p>Does anyone know why Google keeps this working, thereby facilitating phishers?<p>[1] https://www.intego.com/mac-security-blog/scammers-using-new-trick-in-phishing-text-messages-google-redirects/<p>[2] https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being