Forcing "I'm Feeling Lucky" by URL extension.

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Forcing "I'm Feeling Lucky" by URL extension.

grelmar

10:25 pm on Jan 10, 2008 (gmt 0)

I just read this security notice from F-Secure [f-secure.com] and something in it caught my eye.

Apparently, if your URL ends in btnI=745, and the link comes up as #1 in the results, it forces the "I'm Feeling Lucky" function to trigger and automatically re-directs the search to the linked page.

I had no idea this was possible, and I'm quite sure that it's a very bad idea to try it.

Am I out to lunch here, IE: the last person to find out about this?

[edited by: tedster at 10:40 pm (utc) on Jan. 10, 2008]
[edit reason] switch to a permalink [/edit]

tedster

10:47 pm on Jan 10, 2008 (gmt 0)

There are a few other such tricks out there in the wild as well. The extra parameter in the query string turns a link to a google url into a link to the spammer website.

We touched on this last Fall a bit, along with exploits that used the Google Redirector:
[webmasterworld.com...]

grelmar

4:59 am on Jan 11, 2008 (gmt 0)

Thanks Tedster.

I read through that other (very brief) thread, and I'm still unclear as to why G might think that allowing this is a good idea. It seems all too easy to game.

In the case that F-Secure listed, the search query term was so specific as to make it easy to take the #1 spot in order to achieve the desired effect of making the link a re-direct through google.

This makes an easy game for scammers, spammers, and phishers, who can use the method as a way of by-passing e-mail based blacklists.

Why doesn't G just shut it down?