When it comes to internet phishing or spamming, much success relies upon tricking the user into clicking a link. Often times one can tell how legit a link is simply by looking at it. For example, if you’re telling me that you’re paypal but I don’t see paypal.com in the URL, I’m going to know it’s fake.
Recently though, some people (including myself) have stumbled upon a way to redirect people to a website using an innocent looking Google link. The trick revolves around the “I’m feeling Lucky” feature of Google.
By simply appending &btnI=3564 to a Google search query, the user is taken to the first result for that query.
In order to use this trick, you’ll need to find a search term that your website comes up first for. Since it can be any term though, it’s quite easy to make up a random string and include it on your page. Here’s an example:
If I wanted to “Rick Roll” you (trick you into viewing a Rick Astley video) I could link to the youtube video, but you might not click. If I used this trick though, I could send you the following URL:
http://www.google.com/search?q=eBGIQ7ZuuiU&btnI=3564
In this URL, q= is the search term, and then the btnI=3564 tells Google to use the “I’m Feeling Lucky” feature. Clicking it, you’ll be taken straight to the YouTube page.
Ok, neat trick but where’s the security vulnerability?
I used Rick Astley here, but I could have easily used 2 girls 1 cup. Even worse, what if I had used a fake page made to look like Google instead? You might not notice that the URL at the top is different, and you may even type in your username and password to log in. It may not work on the sophisticated internet users, but using the trusted Google.com domain will certainly bypass any anti phishing software that works with email programs.
Note: The same can be done with any type of proxy site on the internet. GoDaddy recently told me I had to move Unblockd off of my server there for this reason.
I noticed a similar technique while editing settings for my browser, Maxthon. Clicking on the real google ifl button teaches you this:
http://www.google.com/search?hl=en&q=%5BQUERY%5D&btnI=I%27m+Feeling+Lucky
It seems that the param btnI simply needs to be in the URL, but doesnt need an = or value. I have noticed a problem though…the query cannot contain numbers.
For instance, if I set q=email, it forwards me to yahoo. However if I set q=email2, it shows search results. This happens reagrdless of position or value of btnI…
…have any solutions or should I keep working?
Comment by Mono — March 19, 2008 @ 12:59 am