This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS


I was sent a malicious link:
https://www.google.com/url?sa=t&url=%68%74%74%70%3A%2F%2F%32%32%30%39%2E%72%75&usg=AFQjCNHbFldWJ-mjCHalLjIznyPxIgjsgg&id=eli.krem

This URL automatically redirects *without* an "Redirect Notice" to the following URL: http://2209.ru 

The redirect link is encoded with HTML entity encoder. But trying to enter a different legitimate URL such as http://walla.co.il:
https://www.google.com/url?sa=t&url=%68%74%74%70%3A%2F%2F%77%61%6C%6C%61%2E%63%6F%2E%69%6C&usg=AFQjCNF46rjPDgbLrq8FgO5wZpMlDucW6Q&id=eli.krem

Gives a Redirect Notice. It looks like the attack may knows how the "usg" parameter operates, bypassing the redirect notice. I could not recreate the vulnerability as I do not how to use the "usg" parameter.

This was sent to me via Skype massage from a contact, most probably via a virus in the attacking URL.

Even though URL redirection do not qualify as a vulnerability, google search urls are considered as trusted and even as a bug hunter I was fooled by this one.

VERSION
Chrome Version: [Version 56.0.2924.87 (64-bit)] + [stable]
Operating System: [Windows 10]

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]