| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43C4F312.3050002@gecadtech.com> Date: Wed, 11 Jan 2006 13:59:14 +0200 From: Stelian Ene <stelian.ene@...adtech.com> Cc: bugtraq@...urityfocus.com, webappsec@...urityfocus.com Subject: Re: PayPal Phishing Site Exploits Google XSS Vulnerability Paul Laudanski wrote: > There is a new PayPal phishing site that is crafty and cunning in > attempting to hide its true address from the surfer. Unsuspecting users > might fall for this devious trickery. It is thru a Google XSS attack that That XSS attack was solved some time ago. This is simply using the well known google.com/url?q=http://YOURURLHERE trick. I wouldn't call this a security vulnerability, and google is certainly not the only one affected. It's rather a social engineering scam: the users clicks on a google link and does not expect to end up someplace else... A possible "solution" would be to deny redirection for http requests with a refereer outside google.xxx (however, links from the email client would not generate any refereer). Or maybe pause for a few seconds and display a warning "you are leaving google...". ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Powered by blists - more mailing lists