Full Disclosure mailing list archives

apis.google.com - Insecure redirect via __lu parameter (exploited in the wild)


From: Patrick via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 16 Oct 2025 11:09:08 +0000

----------------------------------------------------------------------------
Summary
----------------------------------------------------------------------------
A CWE-601 (Open Redirect) vulnerability has been identified in the additnow
functionality of apis.google.com. The vulnerability has been actively exploited
in targeted phishing attacks since at least September 15, 2025.

----------------------------------------------------------------------------
Affected host(s)
----------------------------------------------------------------------------
- apis.google.com

----------------------------------------------------------------------------
Proof of Concept (PoC)
----------------------------------------------------------------------------
- https://apis.google.com/additnow/l?applicationId=1&__ls=ogb&__lu=URL_HERE
  (parameter "__lu=" controls the redirect target)

----------------------------------------------------------------------------
Impact
----------------------------------------------------------------------------
An open redirect allows an attacker to craft a URL on the affected domain that
redirects users to an arbitrary external site. Impact scenarios include:

- Phishing: attackers can send links that appear to be from google.com but
  redirect to malicious sites.
- Bypass of spam/URL filters by leveraging a high-reputation domain.
- Link manipulation in SEO/social contexts.

----------------------------------------------------------------------------
Severity
----------------------------------------------------------------------------
Medium (confirmed exploitation in the wild)

----------------------------------------------------------------------------
Technical notes
----------------------------------------------------------------------------
- Root cause: insufficient validation of user-supplied redirect targets in the
  "__lu" parameter.
- Redirection is immediate (no further interaction required).

----------------------------------------------------------------------------
Weaponized demo (safe to click)
----------------------------------------------------------------------------
- https://apis.google.com/additnow/l?applicationId=1&__ls=ogb&__lu=%68%74%74%70%73%3A%2F%2F%73%69%76%65%72%74%2E%70%6C
  (this redirects to https://sivert.pl)

----------------------------------------------------------------------------
Timeline
----------------------------------------------------------------------------
- Discovery: 2025-09-15 (exploited by unknown threat actors since at least that date)
- Public disclosure: 2025-10-16 (this post)

----------------------------------------------------------------------------
Contact
----------------------------------------------------------------------------
- Name: Patrick (SivertPL)
- Email: kroppoloe () protonmail ch
- Website: https://sivert.pl
- X: @__tfr

----------------------------------------------------------------------------
Information for the Vendor
----------------------------------------------------------------------------

This is not the first time CWE-601 issues in Google services have been abused by
threat actors.

Please prioritize remediation to prevent further exploitation.

----------------------------------------------------------------------------
Acknowledgements
----------------------------------------------------------------------------
- Shoutout to Google - fix your open redirects!

-- 2025-10-16 SivertPL (kroppoloe () protonmail ch) --
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


Current thread: