问HN:为什么谷歌仍然为网络钓鱼者提供开放重定向?
谷歌在 https://google.com/url?q=https://news.ycombinator.com/item?id=46613684 上提供了一个页面,自2025年3月以来,该页面作为开放重定向,允许重定向到任何网站。<p>因此,网络钓鱼者常常利用这一点,通过人类用户对域名的安全审视或允许谷歌的系统,借助谷歌的域名声誉进行攻击。<p>谷歌过去常常出现开放重定向的问题,例如与AMP相关的情况,但这些似乎都是无意的,并在一段时间后被移除。然而,这种 google.com/url 的命名方案几乎看起来是故意的。<p>这与他们自己在2009年关于开放重定向的建议相矛盾。<p>有没有人知道为什么谷歌仍然保持这一功能,从而便利了网络钓鱼者?<p>[1] https://www.intego.com/mac-security-blog/scammers-using-new-trick-in-phishing-text-messages-google-redirects/<p>[2] https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being
查看原文
Google offers a page on https://google.com/url?q=https://news.ycombinator.com/item?id=46613684 that works as an open redirect to any site since at least March 2025 [1].<p>As such, it often gets used by phishers to piggy-back on the domain reputation of Google by either human actors safety-squinting the domain name or systems that allowlist Google.<p>Google has often had open redirect problems, for example around AMP, but these seemed to be unintentional and were removed after some time. However, this google.com/url naming scheme almost seems intentional.<p>This is in contradiction with their own advice (2009) around open redirects [2].<p>Does anyone know why Google keeps this working, thereby facilitating phishers?<p>[1] https://www.intego.com/mac-security-blog/scammers-using-new-trick-in-phishing-text-messages-google-redirects/<p>[2] https://developers.google.com/search/blog/2009/01/open-redirect-urls-is-your-site-being