I've seen a lot of weird stuff on Twitter. I've received a lot of phishing links, "TrueTwit" validation DM's (which, if you're still using, please do the world and favor and disable), and strange bots trying to follow me, but this was the first time I was nearly fooled by something shady popping up in my DM's:

An endless stream of spam (and a message to myself).

If it weren't for the fact that I received at least 3 copies of the exact message from different accounts within the past 5 days, it would have been somewhat convincing:

Only For you prime herro🚨 accounts.youtube.com/accounts/SetSI…

Twitter auto-shortens links, so it appears as t.co when copied, but a little "Inspect Element" got me the full URL (please don't click it):

https://accounts.youtube.com/accounts/SetSID?ilo=1&ils=a4cc1b7ed445598%20f16cef403bb3b0311&178=6&ilc=0&continue=https%3A%2F%2Fhangouts.google.com%2Flinkredirect%3Fdest%3Dhttp%253A%252F%252Fwww.baidu.com%252Flink%253Furl%253DM73m9XnNshXXvcRHTInWPPyB88yp8iduAYhWFNl6yaL8iuRvxYzH9LmCMQJnfCGJ%2526178%253D1786TxeGlNE3U6%2526wd%253D%2526eqid%253Df3f24615000de162000000065d471239

This is definitely a bonafide youtube.com URL, but it's clear from a single click that your end destination is anywhere but a video streaming site. First, it takes you to a "Get More Followers" page, which then redirects you to Twitter's OAuth authorization endpoint, prompting you to grant a dubious application named "hutra dasarte" access to your account. Ostensibly, the people who sent the message to me granted the application permission inadvertently (natural selection!).

www.freeaddme.us, an extremely sketchy web page.

The point of concern is the continue value in the URL query string. When URI-decoded, it produces the value https%3A%2F%2Fhangouts.google.com%2Flinkredirect%3Fdest%3Dhttp%3A%2F%2Fwww.baidu.com%2Flink%3Furl%3DM73m9XnNshXXvcRHTInWPPyB88yp8iduAYhWFNl6yaL8iuRvxYzH9LmCMQJnfCGJ%26178%3D1786TxeGlNE3U6%26wd%3D%26eqid%3Df3f24615000de162000000065d471239.

From just a simple glance, it's pretty clear that this is a Russian matryoshka doll's worth of nested redirects. This is the complete chain of URL's that you're bounced across:

  • https://accounts.youtube.com/accounts/SetSID?ilo=1&ils=a4cc1b7ed445598%20f16cef403bb3b0311&178=6&ilc=0&continue=https%3A%2F%2Fhangouts.google.com%2Flinkredirect%3Fdest%3Dhttp%253A%252F%252Fwww.baidu.com%252Flink%253Furl%253DM73m9XnNshXXvcRHTInWPPyB88yp8iduAYhWFNl6yaL8iuRvxYzH9LmCMQJnfCGJ%2526178%253D1786TxeGlNE3U6%2526wd%253D%2526eqid%253Df3f24615000de162000000065d471239
  • https://hangouts.google.com/linkredirect?dest=http://www.baidu.com/link?url=M73m9XnNshXXvcRHTInWPPyB88yp8iduAYhWFNl6yaL8iuRvxYzH9LmCMQJnfCGJ&178=1786TxeGlNE3U6&wd=&eqid=f3f24615000de162000000065d471239
  • http://www.baidu.com/link?url=M73m9XnNshXXvcRHTInWPPyB88yp8iduAYhWFNl6yaL8iuRvxYzH9LmCMQJnfCGJ

As mentioned in this 2016 Sucuri post, the baidu.com link is an interstitial redirect to page that has been indexed by the search engine. In this case, the dubious site, freeaddme.us, had been submitted to Baidu previously, and the Baidu SERP link was retrieved at some point before sending it out in bulk.

The most interesting find, though, is that the Hangouts linkredirect endpoint performs a direct redirect to whatever dest is provided, without any kind of CSRF protection at all. For example, click this link to be redirected to my Github page (Go ahead and follow while you're at it):

https://hangouts.google.com/linkredirect?dest=https://github.com/thosakwe

Or the following to be auto-subscribed to my YouTube channel:

https://hangouts.google.com/linkredirect?dest=https://www.youtube.com/c/tobeosakwe?sub_confirmation=1

The aforementioned accounts.youtube.com URL only accepts redirects to Google URL's, so you can't plug any random domain in. However, because hangouts is a subdomain of google.com, spammers (or worse, people trying to spread worms or phish), can easily send unsuspecting users to any random place on the Internet.

Overall, I think this is a pretty concerning problem, but it's also one with a relatively simple fix. I'm not a Hangouts user, so I don't actually know what the linkredirect endpoint is for, but I can't think of a good reason why it should exist further without any cross-site request forgery protection. In the meantime, tossing users from YouTube to Hangouts will be an extremely low-friction way to get people to any nefarious page on the Internet.


Thanks for reading! Let's connect. Follow me on Github or Twitter - my username on both platforms is @thosakwe.