Ask HN: Why does Google still provide an open redirect for phishers?

24•throwaway89201•3w ago

Google offers a page on https://google.com/url?q=https://news.ycombinator.com/item?id=46613684 that works as an open redirect to any site since at least March 2025 [1].

As such, it often gets used by phishers to piggy-back on the domain reputation of Google by either human actors safety-squinting the domain name or systems that allowlist Google.

Google has often had open redirect problems, for example around AMP, but these seemed to be unintentional and were removed after some time. However, this google.com/url naming scheme almost seems intentional.

This is in contradiction with their own advice (2009) around open redirects [2].

Does anyone know why Google keeps this working, thereby facilitating phishers?

[1] https://www.intego.com/mac-security-blog/scammers-using-new-trick-in-phishing-text-messages-google-redirects/

[2] https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being

Comments

jprezant•3w ago

I don't think Google would consider this an open redirect. It displays a notice and requires user interaction.

throwaway89201•3w ago

It doesn't for me at all. If I go to the URL I provided in the OP, the Google server responds with a 301 status code and Location header. Both when logged into a Google account and without logging in. Strange that it behaves in a different way (?) for you.

It will probably filter the URL through Google Safe Browsing, but that doesn't help much for phishing as they mostly use new or reputable domains, and browsers check that list on default settings anyway.

blahlabs•3w ago

Using Vanadium on grapheneos and I get

"The page you were on is trying to send you to https://news.ycombinator.com/item?id=46613684.

If you do not want to visit that page, you can return to the previous page."

BenjiWiebe•3w ago

Doesn't show a notice or require user interaction for me.

Android, mobile Firefox.

andreareina•3w ago

Firefox 146 on Arch, no notice just got redirected right away.

r_lee•3w ago

Not to mention all the translate.google.com redirects that get indexed in Google, but Google says nothing is wrong and wontfix

ravshan•3w ago

Can you clarify what do you mean by that?

r_lee•3w ago

There's many abusable url endpoints within Translate or at least there were recently, but when I tried to complain about it to Google, they just ignored it and said it's intended or whatever.

from what I can remember there's pure redirects and proxied translates pages, where the page will be under translate.google.com but show the malicious page and when you then click on stuff it can continue to the abusive page directly

but in general it takes Google eternities to do anything about abuse in their products from my experience

egberts1•3w ago

No notice for:

- Linux, Debian 12, Firefox - Linux, Gentoo, Waterfox - Linux, Mint, DuckDuckGo - iOS, DuckDuckGo - BSD, terminal, Lynx

ShowHN: Make OpenClaw Respond in Scarlett Johansson’s AI Voice from the Film Her

CReact Version 0.3.0 Released

Show HN: CReact – AI Powered AWS Website Generator

The rocky 1960s origins of online dating (2025)

Show HN: Agent-fetch – Sandboxed HTTP client with SSRF protection for AI agents

Why there is no official statement from Substack about the data leak

Effects of Zepbound on Stool Quality

Show HN: Seedance 2.0 – The Most Powerful AI Video Generator

Ask HN: Do we need "metadata in source code" syntax that LLMs will never delete?

Pentagon cutting ties w/ "woke" Harvard, ending military training & fellowships

Can Quantum-Mechanical Description of Physical Reality Be Considered Complete? [pdf]

Kessler Syndrome Has Started [video]

Complex Heterodynes Explained

EVs Are a Failed Experiment

MemAlign: Building Better LLM Judges from Human Feedback with Scalable Memory

CCC (Claude's C Compiler) on Compiler Explorer

Homeland Security Spying on Reddit Users

Actors with Tokio (2021)

Can graph neural networks for biology realistically run on edge devices?

Deeper into the shareing of one air conditioner for 2 rooms

Weatherman introduces fruit-based authentication system to combat deep fakes

Why Embedded Models Must Hallucinate: A Boundary Theory (RCC)

A Curated List of ML System Design Case Studies

Pony Alpha: New free 200K context model for coding, reasoning and roleplay

Show HN: Tunbot – Discord bot for temporary Cloudflare tunnels behind CGNAT

Open Problems in Mechanistic Interpretability

Bye Bye Humanity: The Potential AMOC Collapse

Dexter: Claude-Code-Style Agent for Financial Statements and Valuation

Digital Iris [video]

Essential CDN: The CDN that lets you do more than JavaScript