frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

LLMs are powerful, but enterprises are deterministic by nature

3•prateekdalal•2h ago•1 comments

Ask HN: Anyone Using a Mac Studio for Local AI/LLM?

45•UmYeahNo•1d ago•28 comments

Ask HN: Ideas for small ways to make the world a better place

13•jlmcgraw•15h ago•19 comments

Ask HN: Non AI-obsessed tech forums

23•nanocat•13h ago•20 comments

Ask HN: 10 months since the Llama-4 release: what happened to Meta AI?

44•Invictus0•1d ago•11 comments

Ask HN: Non-profit, volunteers run org needs CRM. Is Odoo Community a good sol.?

2•netfortius•10h ago•1 comments

Ask HN: Who wants to be hired? (February 2026)

139•whoishiring•4d ago•514 comments

Ask HN: Who is hiring? (February 2026)

313•whoishiring•4d ago•511 comments

AI Regex Scientist: A self-improving regex solver

6•PranoyP•17h ago•1 comments

Tell HN: Another round of Zendesk email spam

104•Philpax•2d ago•54 comments

Ask HN: Is Connecting via SSH Risky?

19•atrevbot•2d ago•37 comments

Ask HN: Has your whole engineering team gone big into AI coding? How's it going?

17•jchung•2d ago•12 comments

Ask HN: Why LLM providers sell access instead of consulting services?

4•pera•23h ago•13 comments

Ask HN: What is the most complicated Algorithm you came up with yourself?

3•meffmadd•1d ago•7 comments

Ask HN: How does ChatGPT decide which websites to recommend?

5•nworley•1d ago•11 comments

Ask HN: Is it just me or are most businesses insane?

7•justenough•1d ago•7 comments

Ask HN: Mem0 stores memories, but doesn't learn user patterns

9•fliellerjulian•2d ago•6 comments

Ask HN: Any International Job Boards for International Workers?

2•15charslong•12h ago•2 comments

Ask HN: Is there anyone here who still uses slide rules?

123•blenderob•3d ago•122 comments

Kernighan on Programming

170•chrisjj•4d ago•61 comments

Ask HN: Anyone Seeing YT ads related to chats on ChatGPT?

2•guhsnamih•1d ago•4 comments

Ask HN: Does global decoupling from the USA signal comeback of the desktop app?

5•wewewedxfgdf•1d ago•3 comments

We built a serverless GPU inference platform with predictable latency

5•QubridAI•2d ago•1 comments

Ask HN: Does a good "read it later" app exist?

8•buchanae•3d ago•18 comments

Ask HN: How Did You Validate?

4•haute_cuisine•1d ago•6 comments

Ask HN: Have you been fired because of AI?

17•s-stude•4d ago•15 comments

Ask HN: Cheap laptop for Linux without GUI (for writing)

15•locusofself•3d ago•16 comments

Ask HN: Anyone have a "sovereign" solution for phone calls?

12•kldg•3d ago•1 comments

Test management tools for automation heavy teams

2•Divyakurian•2d ago•2 comments

Ask HN: OpenClaw users, what is your token spend?

14•8cvor6j844qw_d6•4d ago•6 comments
Open in hackernews

Ask HN: Why does Google still provide an open redirect for phishers?

24•throwaway89201•3w ago
Google offers a page on https://google.com/url?q=https://news.ycombinator.com/item?id=46613684 that works as an open redirect to any site since at least March 2025 [1].

As such, it often gets used by phishers to piggy-back on the domain reputation of Google by either human actors safety-squinting the domain name or systems that allowlist Google.

Google has often had open redirect problems, for example around AMP, but these seemed to be unintentional and were removed after some time. However, this google.com/url naming scheme almost seems intentional.

This is in contradiction with their own advice (2009) around open redirects [2].

Does anyone know why Google keeps this working, thereby facilitating phishers?

[1] https://www.intego.com/mac-security-blog/scammers-using-new-trick-in-phishing-text-messages-google-redirects/

[2] https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being

Comments

jprezant•3w ago
I don't think Google would consider this an open redirect. It displays a notice and requires user interaction.
throwaway89201•3w ago
It doesn't for me at all. If I go to the URL I provided in the OP, the Google server responds with a 301 status code and Location header. Both when logged into a Google account and without logging in. Strange that it behaves in a different way (?) for you.

It will probably filter the URL through Google Safe Browsing, but that doesn't help much for phishing as they mostly use new or reputable domains, and browsers check that list on default settings anyway.

blahlabs•3w ago
Using Vanadium on grapheneos and I get

"The page you were on is trying to send you to https://news.ycombinator.com/item?id=46613684.

If you do not want to visit that page, you can return to the previous page."

BenjiWiebe•3w ago
Doesn't show a notice or require user interaction for me.

Android, mobile Firefox.

andreareina•3w ago
Firefox 146 on Arch, no notice just got redirected right away.
r_lee•3w ago
Not to mention all the translate.google.com redirects that get indexed in Google, but Google says nothing is wrong and wontfix
ravshan•3w ago
Can you clarify what do you mean by that?
r_lee•3w ago
There's many abusable url endpoints within Translate or at least there were recently, but when I tried to complain about it to Google, they just ignored it and said it's intended or whatever.

from what I can remember there's pure redirects and proxied translates pages, where the page will be under translate.google.com but show the malicious page and when you then click on stuff it can continue to the abusive page directly

but in general it takes Google eternities to do anything about abuse in their products from my experience

egberts1•3w ago
No notice for:

- Linux, Debian 12, Firefox - Linux, Gentoo, Waterfox - Linux, Mint, DuckDuckGo - iOS, DuckDuckGo - BSD, terminal, Lynx