
Full Disclosure mailing list archives
apis.google.com - Insecure redirect via __lu parameter (exploited in the wild)
From: Patrick via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 16 Oct 2025 11:09:08 +0000
---------------------------------------------------------------------------- Summary ---------------------------------------------------------------------------- A CWE-601 (Open Redirect) vulnerability has been identified in the additnow functionality of apis.google.com. The vulnerability has been actively exploited in targeted phishing attacks since at least September 15, 2025. ---------------------------------------------------------------------------- Affected host(s) ---------------------------------------------------------------------------- - apis.google.com ---------------------------------------------------------------------------- Proof of Concept (PoC) ---------------------------------------------------------------------------- - https://apis.google.com/additnow/l?applicationId=1&__ls=ogb&__lu=URL_HERE (parameter "__lu=" controls the redirect target) ---------------------------------------------------------------------------- Impact ---------------------------------------------------------------------------- An open redirect allows an attacker to craft a URL on the affected domain that redirects users to an arbitrary external site. Impact scenarios include: - Phishing: attackers can send links that appear to be from google.com but redirect to malicious sites. - Bypass of spam/URL filters by leveraging a high-reputation domain. - Link manipulation in SEO/social contexts. ---------------------------------------------------------------------------- Severity ---------------------------------------------------------------------------- Medium (confirmed exploitation in the wild) ---------------------------------------------------------------------------- Technical notes ---------------------------------------------------------------------------- - Root cause: insufficient validation of user-supplied redirect targets in the "__lu" parameter. - Redirection is immediate (no further interaction required). ---------------------------------------------------------------------------- Weaponized demo (safe to click) ---------------------------------------------------------------------------- - https://apis.google.com/additnow/l?applicationId=1&__ls=ogb&__lu=%68%74%74%70%73%3A%2F%2F%73%69%76%65%72%74%2E%70%6C (this redirects to https://sivert.pl) ---------------------------------------------------------------------------- Timeline ---------------------------------------------------------------------------- - Discovery: 2025-09-15 (exploited by unknown threat actors since at least that date) - Public disclosure: 2025-10-16 (this post) ---------------------------------------------------------------------------- Contact ---------------------------------------------------------------------------- - Name: Patrick (SivertPL) - Email: kroppoloe () protonmail ch - Website: https://sivert.pl - X: @__tfr ---------------------------------------------------------------------------- Information for the Vendor ---------------------------------------------------------------------------- This is not the first time CWE-601 issues in Google services have been abused by threat actors. Please prioritize remediation to prevent further exploitation. ---------------------------------------------------------------------------- Acknowledgements ---------------------------------------------------------------------------- - Shoutout to Google - fix your open redirects! -- 2025-10-16 SivertPL (kroppoloe () protonmail ch) -- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- apis.google.com - Insecure redirect via __lu parameter (exploited in the wild) Patrick via Fulldisclosure (Oct 18)