lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4EDFBD74.4060504@gmail.com>
Date: Wed, 07 Dec 2011 20:24:36 +0100
From: Michele Orru <antisnatchor@...il.com>
To: secure poon <suckure@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm very courious to know why Google is not taking caring about Open
Redirection issues.

I know what Chris think about it:
http://scarybeastsecurity.blogspot.com/2010/06/open-redirectors-some-sanity.html

Anyway, IMHO I guess it's better and stealthier, from an attacker point
of view, to use an open redirection in Google encoding the redirected
domain than register goooogle.com and phish his victims with that fake
domain.

Cheers
antisnatchor

secure poon wrote:
> Problem:
> 
> Google suffers from an open redirect that can be used to trick users into
> visiting sites not originating from google.com
> 
> Example:
> 
> http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com
> 
> http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca
> 
> Regards
> suckure
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO371zAAoJEBgl8Z+oSxe4klAIAI0wfyCe4UBzQscTxucsXX4g
D2mbXwhn39r0mqYii86wlLe0U68rM7qXaFo9Y2ivXq+Q9ol1t3OZ/mjisPKAzYpu
98znH6kjoOKR9Rhbo4/FMGrdxCZaRGw+l0GOyF1J7ZHxz0SpwIKcik9XSbeEcFwk
5oMZQN3nxYkNL7BSeCzlfCQ5KqzmBSI6J7Xnp+bl7F83BBcE9TCgriKt4iSjSwe5
Jbm/rd203r1EbA3YbfT0UCdihHjZVMDm3C9JPlUHZOeNxfpHmqkL2sKr90QF+Pvx
TEuNxwDp0pcnVngNW5dIcMNihrwZ6qPLCYw9bbwkTYXaSCBqFAFadOcYF/Oqft0=
=huaT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ