Neither Google nor Yahoo has fixed a search-site security hole that could be used to redirect users to malicious Web sites, security news Web site NIST.org says.
Under the redirect method of attack, a Web surfer redirected to a site that looks like a legitimate, trusted site could then be tricked into typing in passwords and other sensitive information or get malicious software surrepticiously installed on their computer, according to
"A URL sent in an e-mail message or embedded on a Web page can have its true locaton masked using Google's help," NIST.org said. "Yahoo has similar problems in that they utilize URL redirection without it having to load from one of their pages...But Yahoo's redirector requires the 'http://' so it's a bit more obvious. Though many users would probably fall for it."
The two search companies were notified about the problem several months ago, John Herron, editor of NIST.org, said in an e-mail. There is no security problem when visiting Google and Yahoo's Web sites. The problem is with the way the redirect code is implemented, in that it could allow a hacker to misuse it to send people to a malicious Web site, he said.
Representatives from both companies said they were aware of the problem and working to correct it.
"We are aware of these malicious third party efforts to divert our users from legitimate Google search results," a Google representative said in a statement. "We make every effort to ensure that this does not occur and are constantly working to protect the security of our users. We always encourage users to keep their security software up-to-date to ensure the safest web surfing experience."
A Yahoo representative provided this statement: "We take this issue seriously, understand the concerns and are working on ways to address open redirects. There are many legitimate sites outside of Yahoo! that depend on the current behavior of these servers and we are working to transition to a new solution without breaking genuine web pages."
The problem is not a new one. The same method was used last year by cyber criminals to trick people into visiting and providing sensitive information to what they thought was an IRS Web site.