lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 08 Dec 2011 13:04:48 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect

secure poon wrote:

> Problem:
> 
> Google suffers from an open redirect that can be used to trick users into
> visiting sites not originating from google.com

No -- the real problem here is that Google never learns from these...

> Example:
> 
> http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com
> 
> http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca

Just like all the ones that came before and all the new ones some or 
other moron at Google will devise tomorrow, next Wednesday, etc, etc.

_Open_ URL redirectors are trivially prevented by any vaguely sentient 
web developer as URL redirectors have NO legitimate use from outside 
one's own site so should ALWAYS be implemented with Referer checking, 
ensuring they are not _open_ redirectors...

(And yes, that means that URL shorteners _as a group_ have no 
legitimate use.)

Apparently Google's web developers are so stubbornly unable to absorb 
this simple notion that it has become company policy that officially 
Google does not care about open redirectors:

   http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection

Notice they do not distinguish between "URL redirectors" (almost 
necessary in many website designs, including their own) and _open_ 
redirectors (the work of ignorant web designers who do not care about 
the reputation of their site/brand/etc).  I'd have thought that "good 
sites" (i.e. "non-evil" ones) would be expected to not want their 
reputation sullied by the kind of trivially prevented reputation abuse 
that _open_ URL redirectors provide.

But we are talking about Google...



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ