| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 07 Dec 2011 20:24:36 +0100 From: Michele Orru <antisnatchor@...il.com> To: secure poon <suckure@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Google open redirect -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm very courious to know why Google is not taking caring about Open Redirection issues. I know what Chris think about it: http://scarybeastsecurity.blogspot.com/2010/06/open-redirectors-some-sanity.html Anyway, IMHO I guess it's better and stealthier, from an attacker point of view, to use an open redirection in Google encoding the redirected domain than register goooogle.com and phish his victims with that fake domain. Cheers antisnatchor secure poon wrote: > Problem: > > Google suffers from an open redirect that can be used to trick users into > visiting sites not originating from google.com > > Example: > > http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com > > http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca > > Regards > suckure > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO371zAAoJEBgl8Z+oSxe4klAIAI0wfyCe4UBzQscTxucsXX4g D2mbXwhn39r0mqYii86wlLe0U68rM7qXaFo9Y2ivXq+Q9ol1t3OZ/mjisPKAzYpu 98znH6kjoOKR9Rhbo4/FMGrdxCZaRGw+l0GOyF1J7ZHxz0SpwIKcik9XSbeEcFwk 5oMZQN3nxYkNL7BSeCzlfCQ5KqzmBSI6J7Xnp+bl7F83BBcE9TCgriKt4iSjSwe5 Jbm/rd203r1EbA3YbfT0UCdihHjZVMDm3C9JPlUHZOeNxfpHmqkL2sKr90QF+Pvx TEuNxwDp0pcnVngNW5dIcMNihrwZ6qPLCYw9bbwkTYXaSCBqFAFadOcYF/Oqft0= =huaT -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists