Google Maps flaw lets scammers direct victims to dodgy sites, expert says

Scammers can exploit a flaw in Google Maps to lure users to dodgy sites, a security expert has warned.

According to Sophos researcher Mark Stockley, cybercriminals are sending people to potentially malicious websites by using shortened, innocent-looking Maps links that end up redirecting visitors elsewhere.

Related: Google Maps tips and tricks

Google announced plans to shut down its goo.gl URL Shortener − which inadvertently provided an easy way to disguise dodgy links − earlier this year, and it appears that scammers have found another Google-made alternative.

“The crooks have turned a service designed for shortening and sharing Google Maps URLs into an impromptu redirection service for sharing whatever the heck they like, thanks to an open redirection vulnerability in the maps.app.goo.gl service,” Stockley wrote in a blog post.

“Open redirect vulnerabilities allow attackers to abuse code that’s intended to perform an HTTP redirect to a specific something into code that redirects to anything.”

Worryingly, Sophos says there’s no easy way to report them and, even worse, the firm says Google was made aware of the issue in September 2017.

“To avoid being abused, code that performs redirections should only send users to URLs that match a specific pattern or list of links thought to be OK,” the blog post continues.

“In the case of Google maps that should be simple – if the URL in the link parameter isn’t a Google Map, there’s no reason to allow the redirection.”

What’s the worse place Google Maps has directed you to? Share your thoughts @TrustedReviews.