Unusual Google Chrome Download Redirection



  • When I go to https://www.google.com/chrome/, I get redirected to sign in and then forwarded to some app engine link as can be seen in the continue parameter of the following URL:

    https[:]//accounts[.]google[.]com/ServiceLogin/webreauth?service=ah&passive=true&continue=https%3A%2F%2Fuc.appengine[.]google[.]com%2F_ah%2Fconflogin%3Fcontinue%3Dhttps%3A%2F%2Fchr-183746449-dot-googwebreview[.]appspot[.]com%2Fchrome%2Fbrowser-tools%2F%253Fxpv%253D1&flowName=GlifWebSignIn&flowEntry=ServiceLogin.
    

    (Please don't click the link unless you know what you are doing, as it is potentially suspicious.)

    I tried to sign in with a test account to see where it goes, and eventually ends up at the following link:

    https[:]//chr-183746449-dot-googwebreview[.]appspot[.]com/chrome/browser-features/?xpv=2
    

    (Please don't click the link unless you know what you are doing, as it is potentially suspicious.)

    I recommend no one click on the suspicious links, but I am just trying to see if anyone has encountered this issue and / or knows why it happens. (I have removed the hyperlinks so no-one accidentally clicks them.)

    I examined it on VirusTotal as well but could not find much more info and it doesn't trigger any engines:

    https://www.virustotal.com/gui/url/7b7d19079d611b1c17c05968ba3fd0b1c3c79b9ed83c19657ef9450fe615c577/detection
    

    Clearing my cache on my machine corrects the problem and I am able to get to the correct page when going to https://www.google.com/chrome/. However, I tested some time later and it seemed to happen again. Since it is only happening on this machine on my network and not others I am wondering if the cache on it is somehow getting poisoned, and if so how. It is an M1 Mac mini if it is of any relevance.

    I also reset the wifi-gateway and password but was able to reproduce it on that same machine after sometime. This was also after I had completely re-formatted the hard drive and had done a complete re-install of the OS from the recovery partition. The problem seems to reoccur again maybe about 30 minutes after clearing the cache. Also if I try to visit the link multiple times quickly, about 50% of the times I will actually end up on the correct Google Chrome download page, and the rest of the times I will be redirected to:

    https[:]//accounts[.]google[.]com/ServiceLogin/webreauth?service=ah&passive=true&continue=https%3A%2F%2Fuc.appengine[.]google[.]com%2F_ah%2Fconflogin%3Fcontinue%3Dhttps%3A%2F%2Fchr-183746449-dot-googwebreview[.]appspot[.]com%2Fchrome%2Fbrowser-tools%2F%253Fxpv%253D1&flowName=GlifWebSignIn&flowEntry=ServiceLogin.
    

    This was encountered using Safari on MacOS Big Sur 11.2.3. The other odd thing is that it says that (google.com/chrome) is the referrer for:

    https[:]//accounts[.]google[.]com/ServiceLogin/webreauth?service=ah&passive=true&continue=https%3A%2F%2Fuc.appengine[.]google[.]com%2F_ah%2Fconflogin%3Fcontinue%3Dhttps%3A%2F%2Fchr-183746449-dot-googwebreview[.]appspot[.]com%2Fchrome%2Fbrowser-tools%2F%253Fxpv%253D1&flowName=GlifWebSignIn&flowEntry=ServiceLogin 
    

    when I check the web requests in dev tools. However, if I use private browsing on Safari this issue does not happen, and it goes to the correct Google Chrome Download page: https://www.google.com/chrome.

    I would really appreciate if anyone can shed any insight, because I am kind of worried why this is happening and if this machine and / or my network is potentially compromised.



  • I assume this URL re-direction activity as suspicious (Phishing) due to the below reasons. You can visit this site to know more details.

    1. Google never requires sign-in to download chrome binary.
    2. https[:]//chr-183746449-dot-googwebreview[.]appspot[.]com is not an official Google site but a random site hosted in appspot with SSL(GCP domin) which mostly requires Gmail authentication to access (through Firebase).
    3. Your final URL pretend to show Chrome browser features page but the actual site is https://www.google.com/chrome/browser-features/.
    4. Anyone can deploy a random application in Google Cloud with unique hostname having domain xxxxx[.]appspot[.]com so your specific URL is not shown as suspicious in Virustotal.

    As stated in the comments, many users are facing such re-direction so nothing to worry about your specific system or internet. This might be a local cache / DNS configuration issue and you may report it to chromium team.



Suggested Topics