Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that these redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place.

Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways. For this reason, we invest in technologies to detect and alert users about phishing and abuse instead. More generally, we hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.

Conclusion

If you report only an open redirector, we won't file a bug based on your report.

That said, improperly designed redirectors can lead to more serious flaws, and we have observed cases where such flaws were exploited to trigger vulnerabilities such as:

• Content Security Policy bypass
• Referrer check bypass
• Working meta redirect to javascript: URL

If you discover an exploit based on open redirectors and can demonstrate that its impact goes beyond phishing, please share the exploit chain you found with us!