Google Maps users need to stay vigilant as cybercriminals are taking advantage of an existing vulnerability in the program’s link-sharing service to spread links from malicious or compromised websites.
According to Sophos, an IT security firm, cybercriminals cannot use official Google Maps URLs to redirect users to any site they want. However, an open redirect vulnerability that affects the “maps.app.goo.gl” service has been exploited by scammers to redirect users to phishing or malware sites.
The researchers noted that in their campaign, cybercriminals are using URL shortener to hide links from malware or phishing sites, primarily one that redirects the victim to a Russian page hosting a dieting scam. After that, the malicious links were shared through Google Maps.
Also, since the URL sharing feature on Google Maps is not an official product, the tool does not have a mechanism for reporting fraudulent links, as well as not collecting reviews and configuring fake URLs.
“Between the legitimate Google URL shortener you’d probably trust, and the Russian URL you probably wouldn’t, the redirection chain bounces you through another Google URL belonging to Google Maps,” said Mark Stockley of Sophos in their blog post.
“To avoid being abused, code that performs redirections should only send users to URLs that match a specific pattern or list of links thought to be OK. In the case of Google maps that should be simple – if the URL in the link parameter isn’t a Google Map, there’s no reason to allow the redirection,” Stockly concluded.
However, this vulnerability is not new. In September 2017, a security researcher going by the online handle of “LewisBugBounty” found the vulnerability affecting maps.app.goo.gl website and its users.