Google Maps, a tool search that marketers frequently use to support campaigns, has been hit with another scam. Scammers have been abusing a feature in the Maps API, the link-shortening service on Google Maps. They redirect users to undesirable websites by hiding their pages in Maps links.
Mark Stockley, specialist at security firm Sophos, identified the scam after receiving a short, abrupt email from a marketing colleague he had not heard from in quite a while.
The scammer used goo.gl, a link shortener that Google plans to shutter. But the scammer got around the shutdown, using the Maps API shortener to redirect to another HTTP redirect before sending victims to an untrustworthy domain that host the scam, he wrote.
The scammer turned a service designed for shortening and sharing Google Maps URLs into a “redirection service for sharing whatever the heck they like, thanks to an open redirection vulnerability in the maps.app.goo.gl service, he wrote.
Stockley provides examples of how open redirect vulnerabilities allow attackers to abuse code that is intended to perform an HTTP redirect to a specific page into code that redirects to whatever they wish.
Google has been focusing on ramping up services on Maps. On May 1, New York residents gained a feature that provides real-time Citi Bike map information in Google Maps. The bike share tool, part of the New York City transit system, now tells those looking to reserve a bike what is available and where.
Stockley explains that open redirects are common these days. Last week he wrote about how open redirects on a multitude of U.S. government websites are being used to stuff Google Search results pages with links to porn sites.
“To avoid being abused, code that performs redirections should only send users to URLs that match a specific pattern or list of links thought to be OK,” he wrote. “In the case of Google maps that should be simple – if the URL in the link parameter isn’t a Google Map, there’s no reason to allow the redirection.”