Ask HN: Why does Google still provide an open redirect for phishers?

24•throwaway89201•3w ago

Google offers a page on https://google.com/url?q=https://news.ycombinator.com/item?id=46613684 that works as an open redirect to any site since at least March 2025 [1].

As such, it often gets used by phishers to piggy-back on the domain reputation of Google by either human actors safety-squinting the domain name or systems that allowlist Google.

Google has often had open redirect problems, for example around AMP, but these seemed to be unintentional and were removed after some time. However, this google.com/url naming scheme almost seems intentional.

This is in contradiction with their own advice (2009) around open redirects [2].

Does anyone know why Google keeps this working, thereby facilitating phishers?

[1] https://www.intego.com/mac-security-blog/scammers-using-new-trick-in-phishing-text-messages-google-redirects/

[2] https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being

Comments

jprezant•3w ago

I don't think Google would consider this an open redirect. It displays a notice and requires user interaction.

throwaway89201•3w ago

It doesn't for me at all. If I go to the URL I provided in the OP, the Google server responds with a 301 status code and Location header. Both when logged into a Google account and without logging in. Strange that it behaves in a different way (?) for you.

It will probably filter the URL through Google Safe Browsing, but that doesn't help much for phishing as they mostly use new or reputable domains, and browsers check that list on default settings anyway.

blahlabs•3w ago

Using Vanadium on grapheneos and I get

"The page you were on is trying to send you to https://news.ycombinator.com/item?id=46613684.

If you do not want to visit that page, you can return to the previous page."

BenjiWiebe•3w ago

Doesn't show a notice or require user interaction for me.

Android, mobile Firefox.

andreareina•3w ago

Firefox 146 on Arch, no notice just got redirected right away.

r_lee•3w ago

Not to mention all the translate.google.com redirects that get indexed in Google, but Google says nothing is wrong and wontfix

ravshan•3w ago

Can you clarify what do you mean by that?

r_lee•3w ago

There's many abusable url endpoints within Translate or at least there were recently, but when I tried to complain about it to Google, they just ignored it and said it's intended or whatever.

from what I can remember there's pure redirects and proxied translates pages, where the page will be under translate.google.com but show the malicious page and when you then click on stuff it can continue to the abusive page directly

but in general it takes Google eternities to do anything about abuse in their products from my experience

egberts1•3w ago

No notice for:

- Linux, Debian 12, Firefox - Linux, Gentoo, Waterfox - Linux, Mint, DuckDuckGo - iOS, DuckDuckGo - BSD, terminal, Lynx

Study confirms experience beats youthful enthusiasm

The Big Hunger by Walter J Miller, Jr. (1952)

The Genus Amanita

We have broken SHA-1 in practice

Ask HN: Was my first management job bad, or is this what management is like?

Ask HN: How to Reduce Time Spent Crimping?

KV Cache Transform Coding for Compact Storage in LLM Inference

A quantitative, multimodal wearable bioelectronic device for stress assessment

Why Big Tech Is Throwing Cash into India in Quest for AI Supremacy

How to shoot yourself in the foot – 2026 edition

Eight More Months of Agents

From Human Thought to Machine Coordination

The new X API pricing must be a joke

Show HN: RMA Dashboard fast SAST results for monorepos (SARIF and triage)

Show HN: Source code graphRAG for Java/Kotlin development based on jQAssistant

Python Only Has One Real Competitor

Tmux to Zellij (and Back)

Ask HN: How are you using specialized agents to accelerate your work?

Passing user_id through 6 services? OTel Baggage fixes this

DavMail Pop/IMAP/SMTP/Caldav/Carddav/LDAP Exchange Gateway

Visual data modelling in the browser (open source)

Show HN: Tharos – CLI to find and autofix security bugs using local LLMs

Oddly Simple GUI Programs

The New Playbook for Leaders [pdf]

Interactive Unboxing of J Dilla's Donuts

OneCourt helps blind and low-vision fans to track Super Bowl live

Rudolf Vrba

Autism Incidence in Girls and Boys May Be Nearly Equal, Study Suggests

Wellness Hotels Discovery Application

NASA delays moon rocket launch by a month after fuel leaks during test