Re: [Full-disclosure] Google open redirect
On 12/10/2011 06:20 AM, Tavis Ormandy wrote: I'm not sure I understand whether you're saying that vendors need to make users expectations match reality, A. The vendor, through their UI, needs to set users' expectations properly. B. The actual security of the user needs to live up to what is communicated through the UI. or if users need to learn how to make security decisions properly. C. Well that too. I think C is not going to happen without A B. Vendors should not design security features to the lowest common denominator. They should hold users to a higher standard than that implied by typical user studies, lest low expectations continue to form a self-fulfilling prophecy. I think it's a believable claim that a large number of users have (incorrectly) decided that they can make security decisions using the status text or the appearance of a URL anywhere other than the address bar. I know I don't know how to do it. But at the same time, there are some URLs that I'm more scared to click than others. The reality is that pleading with everyone in the world to stop using redirection wouldn't solve the problem, and (in my opinion) is much harder than trying to find these users and educating them about how to achieve the desired effect correctly. Perhaps, but often it seems that UI designers and security people alike are absolutely convinced that users can *never* be effectively educated. Trying to call open redirection a vulnerability strikes me as hilarious. An attacker that can make a user visit an arbitrary URL can make a user visit an arbitrary URL Well, there's no vulnerability there, so let's revise it. It becomes a vulnerability when a system relies on the absence of that capability for its security. Do any? Hopefully not, but often the user is a critical part of the system too. After the whole goatse.cx gag started to get old, sites which allowed users to post links (like Slashdot) began always putting the domain in the text after the HTML link text. Now this is probably not a critical security feature, but it can be defeated with an open redirect accessible via [google.com]. I used to think phishing was a silly trick and didn't qualify as a real attack, but it sure seems highly effective in certain real-world contexts. Today there's a recognized attack category called social engineering, I used to just think of all that as con games. But now if we successfully convince every developer on the planet to stop using HTTP redirection, that doesn't change that the user doesnt know how to determine if the URL is trusted or not, so we just use one of dozens of other simple tricks. Surely the correct solution is to educate those users who are doing it incorrectly. I am in complete agreement with you. Let's say you are a bank that has just invested in a successful anti-phishing user education campaign. All the users have been trained to look beneath the HTML in emails, not to accept invalid SSL certificates, and only follow legitimate links that look like: https://*.examplebank.com/ At that point an open redirect is found under your site, such that https://onlinebanking.examplebank.com/confirm.aspx?customerid=1234return=http%3a%2f%2fpwn%2ely drives the browser to the attacker's phishing site. Does this represent a vulnerability? - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Marsh Ray ma...@extendedsubset.com wrote: But now if we successfully convince every developer on the planet to stop using HTTP redirection, that doesn't change that the user doesnt know how to determine if the URL is trusted or not, so we just use one of dozens of other simple tricks. Surely the correct solution is to educate those users who are doing it incorrectly. I am in complete agreement with you. Let's say you are a bank that has just invested in a successful anti-phishing user education campaign. All the users have been trained to look beneath the HTML in emails, not to accept invalid SSL certificates, and only follow legitimate links that look like: https://*.examplebank.com/ At that point an open redirect is found under your site, such that https://onlinebanking.examplebank.com/confirm.aspx?customerid=1234return=http%3a%2f%2fpwn%2ely drives the browser to the attacker's phishing site. Does this represent a vulnerability? - Marsh So they've trained their users to parse and understand html, can decode complex documents manually, and understand the difference between anchor text and destination. They can decipher complex URLs using any of the obscure syntax supported, and understand the heirarchichal nature of the domain name system. They've also learned how to verify SSL certificates without clicking on links (perhaps using openssl s_client?). Bizarrely, they've also been convinced to never read the address bar (which is really all they needed to do from the start instead of the hours of training requiring them to reach this level). Then yes, you have a vulnerability. However, it's in the criminally negligent training material provided by the bank :-) Tavis. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Just quickly I digress; this is a massive problem in the mindset of many. They won't ever learn about something if they aren't ever made aware of it. Say, by fixing the problem... I have seen the most users don't understand X anyway as an argument against fixing X in the browser several times before, and I think that's wrong; but I'm not sure this is applicable here. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
On 12/09/2011 03:16 PM, valdis.kletni...@vt.edu wrote: On Fri, 09 Dec 2011 14:31:15 CST, Marsh Ray said: They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Did you mean contentious (argumentative, difficult)? Or were you thinking of conscientious (dedicated to a cause)? ;) Yes, I certainly meant conscientious. But clearly I was not enough of it to keep on top of my spell checker. What vendors *really* hate are users who are both. ;) Haha, I'm sure I don't know anyone like that. :-) - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Marsh Ray ma...@extendedsubset.com wrote: On 12/08/2011 12:37 AM, Michal Zalewski wrote: For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web application can do to save you: you are just at a significant risk wherever you go. If you take away open redirectors, a myriad of other, comparable ways to fool you remain, and can't be fixed easily. I think reasoning based on this is subtly fallacious and it often contributes to disagreements between researchers and large vendors. This is how we got into the state of the web today: bad faith on the part of browser vendors. [...] Avoiding security improvements because the are perceived as being of little benefit to type typical user is wrong. Doing so gains nothing for the typical users, it decreases the security available to competent and contientious users, and worst of all it actively removes any incentives for the typical user to begin to take responsibility for their own security. I'm not sure I understand whether you're saying that vendors need to make users expectations match reality, or if users need to learn how to make security decisions properly. I think it's a believable claim that a large number of users have (incorrectly) decided that they can make security decisions using the status text or the appearance of a URL anywhere other than the address bar. I would be in favour of making that expectation match reality, but it's simply technically infeasible due to a number of fundamental computer science problems. The reality is that pleading with everyone in the world to stop using redirection wouldn't solve the problem, and (in my opinion) is much harder than trying to find these users and educating them about how to achieve the desired effect correctly. Trying to call open redirection a vulnerability strikes me as hilarious. An attacker that can make a user visit an arbitrary URL can make a user visit an arbitrary URL Well, there's no vulnerability there, so let's revise it. An attacker that can make a user visit a URL from a domain they trust can make a user visit a URL from a domain they don't trust. Okay, but there's no way to determine if a URL is trusted or not unless you read it from the address bar. HTTP redirection doesnt do this, as the address bar is correctly updated, so let's revise again. An attacker that can make a user who doesn't know how to determine if a URL is trusted or not visit an arbitrary URL, can convince a user to trust an arbitrary URL. Well obviously :-) But now if we successfully convince every developer on the planet to stop using HTTP redirection, that doesn't change that the user doesnt know how to determine if the URL is trusted or not, so we just use one of dozens of other simple tricks. Surely the correct solution is to educate those users who are doing it incorrectly. Tavis. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
On 12/08/2011 12:37 AM, Michal Zalewski wrote: For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web application can do to save you: you are just at a significant risk wherever you go. If you take away open redirectors, a myriad of other, comparable ways to fool you remain, and can't be fixed easily. I think reasoning based on this is subtly fallacious and it often contributes to disagreements between researchers and large vendors. This is how we got into the state of the web today: bad faith on the part of browser vendors. They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Large vendors are constantly holding bad faith against their userbase. This may be borne out by large user studies, but I've lost count of the number of times I've heard actual security improvements shot down because typical users are presumed to be so incompetent and careless that they will fail to derive a significant benefit from it. I maintain that design decisions affecting security must be driven by the needs of the competent and contentious user because if he cannot achieve effective security in using of the system, then what chance has the typical user?! Avoiding security improvements because the are perceived as being of little benefit to type typical user is wrong. Doing so gains nothing for the typical users, it decreases the security available to competent and contientious users, and worst of all it actively removes any incentives for the typical user to begin to take responsibility for their own security. I think when the typical user gets pwned with phishing or malware he thinks a combination of stupid Microsoft, the Internet is out to get me, and what did I do wrong?. The vendor implicitly answers: you did nothing wrong because this is all too complicated for you to understand, you should install this additional product to give you better security. Perhaps this made sense back when the Internet was a toy and the biggest security risk was a limited-liability credit card number, but today we have whole populations in places like Iran wondering if their ass is going to get tortured over something they said on social media. I think a lot of typical users today are probably wanting to move into that other category and we should support them in that. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Sure. And that group is sort of safe when faced with open redirectors, mouseover tooltips, etc - well, modulo funny corner cases like this: http://lcamtuf.coredump.cx/switch/ ...or: http://lcamtuf.coredump.cx/switch/index2.html I have seen the most users don't understand X anyway as an argument against fixing X in the browser several times before, and I think that's wrong; but I'm not sure this is applicable here. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
On Fri, 09 Dec 2011 14:31:15 CST, Marsh Ray said: They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Did you mean contentious (argumentative, difficult)? Or were you thinking of conscientious (dedicated to a cause)? ;) What vendors *really* hate are users who are both. ;) pgpxsoJ7wlm9j.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/12/2011 20:31, Marsh Ray wrote: On 12/08/2011 12:37 AM, Michal Zalewski wrote: For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web application can do to save you: you are just at a significant risk wherever you go. If you take away open redirectors, a myriad of other, comparable ways to fool you remain, and can't be fixed easily. I think reasoning based on this is subtly fallacious and it often contributes to disagreements between researchers and large vendors. This is how we got into the state of the web today: bad faith on the part of browser vendors. They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Large vendors are constantly holding bad faith against their userbase. This may be borne out by large user studies, but I've lost count of the number of times I've heard actual security improvements shot down because typical users are presumed to be so incompetent and careless that they will fail to derive a significant benefit from it. I maintain that design decisions affecting security must be driven by the needs of the competent and contentious user because if he cannot achieve effective security in using of the system, then what chance has the typical user?! Avoiding security improvements because the are perceived as being of little benefit to type typical user is wrong. Doing so gains nothing for the typical users, it decreases the security available to competent and contientious users, and worst of all it actively removes any incentives for the typical user to begin to take responsibility for their own security. I think when the typical user gets pwned with phishing or malware he thinks a combination of stupid Microsoft, the Internet is out to get me, and what did I do wrong?. The vendor implicitly answers: you did nothing wrong because this is all too complicated for you to understand, you should install this additional product to give you better security. Perhaps this made sense back when the Internet was a toy and the biggest security risk was a limited-liability credit card number, but today we have whole populations in places like Iran wondering if their ass is going to get tortured over something they said on social media. I think a lot of typical users today are probably wanting to move into that other category and we should support them in that. - Marsh Whilst I agree with what you have said the majority of computer users today are just consumers. They expect their nice new shiny Win 7 laptop to behave just like their washing machine. Push a button and it does what is expected, they don't expect to have to understand how it works nor do they expect it to do bad things when they are not looking. Occasionally a scam may make head line news, but the attention span and memory of the average consumer is measured in days or weeks not a lifetime. The marketing blurb from software providers be that OS or application does nothing to dispel this expectancy. In fact the marketing blurb does it's best to hide any possibility of detriment from using the product from the user. The user does blame MS or the Internet and very rarely their own incompetence in using the computing device. Why? because all the marketing blurb for such devices avoids any indication that using said device may result in the compromise of identity or bank account. Where does the advertising for computing devices state that the system is flawed? Nowhere. The consumer is given this image of a wonderful device doing wonderful things. A device that would never bend them over when they least expect it. The solution is either make the Internet and computers totally secure, or educate the user that the system, be that OS, application or Internet is broken and they need to be on their guard against what may happen for every click they make. I like to think I am somewhat competent. The last virus I had, the last compromise I faced was the Saddam virus on my Amiga. My confidence doesn't make feel I that I will never be owned or compromised. There are far smarter people out there than I. The average consumer does not think this way, they are drunk on the kool aid. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTuKAVrIvn8UFHWSmAQJ/lwf+K8bxBc8lUzwkQ7gA82eqfhU6pBPAJhcg CpHk1jYaeIlnGrWxWwpwxdoxCnvmiDDnqrRgsJrA/JQyLBJGDF082St85CVn6Up4 zKufd8fyxk9jtJTOL47z7XWbaIuGJb748zhdVTLbBBDmrY5eP8HueVhnT9puGUl4
Re: [Full-disclosure] Google open redirect
For example: did you know that if you click on a link from coredump.cx to microsoft.com and it opens in a new window, then a second or two later, that coredump.cx in the background can change the URL of the microsoft.com window, and point it to evil.com? Heck, coredump.cx can even wait until you navigate further down the microsoft.com website - and detect that event programmatically. That behavior is enshrined within the current design of the same-origin policy, and browser vendors seem hesitant to touch it. Here's a tiny PoC: http://lcamtuf.coredump.cx/switch/ /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/12/2011 09:13, Michal Zalewski wrote: For example: did you know that if you click on a link from coredump.cx to microsoft.com and it opens in a new window, then a second or two later, that coredump.cx in the background can change the URL of the microsoft.com window, and point it to evil.com? Heck, coredump.cx can even wait until you navigate further down the microsoft.com website - and detect that event programmatically. That behavior is enshrined within the current design of the same-origin policy, and browser vendors seem hesitant to touch it. Here's a tiny PoC: http://lcamtuf.coredump.cx/switch/ /mz I run with no script. So the links showed on the initial pages and when clicked. The same address as the links appeared in the address bar when I clicked the links. Running with scripting enabled and clicking the do it button caused this to appear in the address bar: data:text/html;np.cx/beaver/ I do online banking and being paranoid I do check the address bar and look for https and the verified by: VeriSign, Inc popup when mouse over the domain. If anything even slightly suspicious occurs when connecting to my banking logon I will inspect the certificate and may even examine the page source depending on how suspicious I am that my bookmarks may have been compromised or the page is not what I expect it to be. Obviously many users are not this paranoid else wise phishing would not be as successful as it is. Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTuCEubIvn8UFHWSmAQKN2wgAjMe2BOEo2sSetsfhnEGBGzTjtaW9RYsq eXyYVHOp8gkt9xkvoob4sjK1LV5zuM43qaP2s3TGcQrsx1A3Aqho+C1NuHP70y2f 5E9l8Y4dibifoERzal8yDjBEMJKqi7fbHuYkWz4xrBFyX9fz8GhZbsGI2Sef5621 Df99Ro6jRGfPqMhFcCQLwgudwdz8BDTBIyoYofpqH29su11mOOWvsRieBEfIcYM8 ENnJ8hsBrYy4f9a4b8KNfe6bukiHkIhaH5Td1r/HIxFiUkphAbmXtU7BD3mfo0Cs gvLr8ePOHVCHPUo5hiYhA1nhHRrKDqvpd7D6IvE7BgsqMhrhlYN41Q== =BX4Q -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
I run with no script. So the links showed on the initial pages and when clicked. Yes, well, congrats ;-) /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Nick FitzGerald n...@virus-l.demon.co.uk wrote: _Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking, ensuring they are not _open_ redirectors... Although it is possible to trivially prevent redirecting, your technique of referer checking is not a good way to achieve that. The real question is why do you have a bee in your bonnet about redirection? The attack proposed is to find a user who doesn't understand that the address bar is the only security indicator supported by browser vendors, and then to convince them to ignore the address bar while they're being attacked. I don't dispute that you could probably produce a user that would be vulnerable to this attack, perhaps someone who calculates trust based on the statusbar text when mouseovering a link. Many users incorrectly believe this is a security mechanism, however the existance of open redirectors isn't what makes this exploitable. These users would still be vulnerable to tricks like this: a href=http://good.com; onmousedown=this.href='http://bad.com'link/a Perhaps you would argue that there is a subclass of users who do not understand how to determine the current domain, but also disable javascript, or who read their email in mutt. These users would be vulnerable to unsophisticated attacks like these: a href=http://www.good.com.e.ch;good/a (Misleading subdomains) a href=http://bad.com;http://good.com/a (Misleading anchor text) a href=http://www.good@e.ch;link/a (Unusual URL syntax) And so on. To save time, I've also heard the following arguments: * There have been a number of vulnerabilities were exploitable because of open redirectors, therefore they are indirectly bad. There have been a number of vulnerabilities in just about every possible browser subsystem. Do you propose we ban pdf files because of CVE-2007-0045? Or ban tables because of MS10-090? A better approach seems to be to fix the vulnerability, rather than plead with every web service provider in the world to stop implementing useful parts of the HTTP spec. * My company sells a URL blacklist product, and open redirectors break it. Enumerating known bad will always fail. If the existence of tinyurl breaks your product, then your product was flawed. * Spammers or phishers really use open redirectors! Rule #3. Using an open redirector actually introduces a new single point of failure outside of their control into their operation, and so it could be argued this is a good thing ;-) If you care about spam, you now have an additional point to potentially neuter their operation. My (perhaps cynical) opinion is that because open redirection is such a useful and natural thing to want to implement, and are therefore so common and easy to find, this vulnerability class was invented to pad lacklustre reports from consultants. Tavis. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Michal/Google, IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open redirect, researchers with bills can't make a living like that.. although it might? be okay for students. How many Google vulnerabilities per month are there expected to be? Granted there are other avenues to pursue for a fledgling researcher, What is the cost to Google's business if an open redirect causes their image to be tarnished by some arbitrary amount in the eyes of some percentage of consumers? Considering Google grossed 30 billion dollars in 2010, (ridiculous) I would expect that the numbers we are talking about perhaps are so massive that 500$ is nothing in comparison. We live in an age that pays 5k, or 30k, or 100k for a root level compromise, in a common package with a reliable and solid exploit. At least that's what I hear. Even if everyone else's opinion says 500$ is too much for a redirect, doesn't Google want to promote the industry by sharing a little of the wealth to people with good intentions and ability? It's time to raise the bar a little here, and I'm not just talking about bounty. Why would Google ever suffer from these issues to begin with? Can't Google, in it's infinite wisdom and 30 billion dollars, come up with a better solution for whatever random problem they are trying to solve with an open redirect? n.b. I have never sold a vulnerability, even when non-pittance sums are offered /rant On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski lcam...@coredump.cx wrote: _Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking There are decent solutions to lock down some classes of open redirectors (and replace others with direct linking), but Referer checking isn't one of them. It has several subtle problems that render it largely useless in real-world apps. ... We have a vulnerability reward program, and it's just about not paying $500 for reports of that vulnerability - along with not paying for many other minimal-risk problems such as path disclosure. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Sorry, you think people should be making a living off reporting open redirect disclosure? On Thu, Dec 8, 2011 at 2:53 PM, Charles Morris cmor...@cs.odu.edu wrote: Michal/Google, IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open redirect, researchers with bills can't make a living like that.. although it might? be okay for students. How many Google vulnerabilities per month are there expected to be? Granted there are other avenues to pursue for a fledgling researcher, What is the cost to Google's business if an open redirect causes their image to be tarnished by some arbitrary amount in the eyes of some percentage of consumers? Considering Google grossed 30 billion dollars in 2010, (ridiculous) I would expect that the numbers we are talking about perhaps are so massive that 500$ is nothing in comparison. We live in an age that pays 5k, or 30k, or 100k for a root level compromise, in a common package with a reliable and solid exploit. At least that's what I hear. Even if everyone else's opinion says 500$ is too much for a redirect, doesn't Google want to promote the industry by sharing a little of the wealth to people with good intentions and ability? It's time to raise the bar a little here, and I'm not just talking about bounty. Why would Google ever suffer from these issues to begin with? Can't Google, in it's infinite wisdom and 30 billion dollars, come up with a better solution for whatever random problem they are trying to solve with an open redirect? n.b. I have never sold a vulnerability, even when non-pittance sums are offered /rant On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski lcam...@coredump.cx wrote: _Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking There are decent solutions to lock down some classes of open redirectors (and replace others with direct linking), but Referer checking isn't one of them. It has several subtle problems that render it largely useless in real-world apps. ... We have a vulnerability reward program, and it's just about not paying $500 for reports of that vulnerability - along with not paying for many other minimal-risk problems such as path disclosure. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Don't be strange, was I not specific enough? I think people should be encouraged to do the work, if they are good enough to find something that nobody else has noticed yet- and all of these cash for bugs programs have me a bit annoyed. Not offering the money for issues that they claim to offer for issues is not only dishonest but it is discouraging to beginning researchers. I've personally seen it happen. On Thu, Dec 8, 2011 at 9:57 AM, Benji m...@b3nji.com wrote: Sorry, you think people should be making a living off reporting open redirect disclosure? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open redirect, researchers with bills can't make a living like that.. although it might? be okay for students. I wasn't being strange, you pretty much implied it. On Thu, Dec 8, 2011 at 3:03 PM, Charles Morris cmor...@cs.odu.edu wrote: Don't be strange, was I not specific enough? I think people should be encouraged to do the work, if they are good enough to find something that nobody else has noticed yet- and all of these cash for bugs programs have me a bit annoyed. Not offering the money for issues that they claim to offer for issues is not only dishonest but it is discouraging to beginning researchers. I've personally seen it happen. On Thu, Dec 8, 2011 at 9:57 AM, Benji m...@b3nji.com wrote: Sorry, you think people should be making a living off reporting open redirect disclosure? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
pretty much nearly almost implying and implying are very different things. On Thu, Dec 8, 2011 at 10:05 AM, Benji m...@b3nji.com wrote: IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open redirect, researchers with bills can't make a living like that.. although it might? be okay for students. I wasn't being strange, you pretty much implied it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Well, I usually support adopting business models into processes that help society, so I would agree with you on the monetary philosophy. But the strategy here isn't (as I understand) driving pro's into the program, but getting rid of unilateral vuln disclosures that happen mostly without direct monetary compensation. So, I thing Google's program is directed to those that already are willing to gain no money for their work in disclosing vulns. Again, this is just my point of view. 2011/12/8 Charles Morris cmor...@cs.odu.edu Granted, but I know that vulnerability research can take a huge chunk of time out of a person's life, and without getting in to monetary philosophy, I feel that in our current system, a person should be compensated for their time if they've done something useful for society. That's sort of the point of the way we use money. On Thu, Dec 8, 2011 at 10:03 AM, Pablo Ximenes pa...@ximen.es wrote: I think the reward is intended as a symbolic token of appreciation, and not as compensation. That's why they give you the option to donate your cash reward instead of keeping the money. I think what really drives researchers into Google's program is recognition and not compensation, IMHO. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
I think the reward is intended as a symbolic token of appreciation, and not as compensation. That's why they give you the option to donate your cash reward instead of keeping the money. I think what really drives researchers into Google's program is recognition and not compensation, IMHO. 2011/12/8 Charles Morris cmor...@cs.odu.edu Michal/Google, IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open redirect, researchers with bills can't make a living like that.. although it might? be okay for students. How many Google vulnerabilities per month are there expected to be? Granted there are other avenues to pursue for a fledgling researcher, What is the cost to Google's business if an open redirect causes their image to be tarnished by some arbitrary amount in the eyes of some percentage of consumers? Considering Google grossed 30 billion dollars in 2010, (ridiculous) I would expect that the numbers we are talking about perhaps are so massive that 500$ is nothing in comparison. We live in an age that pays 5k, or 30k, or 100k for a root level compromise, in a common package with a reliable and solid exploit. At least that's what I hear. Even if everyone else's opinion says 500$ is too much for a redirect, doesn't Google want to promote the industry by sharing a little of the wealth to people with good intentions and ability? It's time to raise the bar a little here, and I'm not just talking about bounty. Why would Google ever suffer from these issues to begin with? Can't Google, in it's infinite wisdom and 30 billion dollars, come up with a better solution for whatever random problem they are trying to solve with an open redirect? n.b. I have never sold a vulnerability, even when non-pittance sums are offered /rant On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski lcam...@coredump.cx wrote: _Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking There are decent solutions to lock down some classes of open redirectors (and replace others with direct linking), but Referer checking isn't one of them. It has several subtle problems that render it largely useless in real-world apps. ... We have a vulnerability reward program, and it's just about not paying $500 for reports of that vulnerability - along with not paying for many other minimal-risk problems such as path disclosure. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
I'm sure you are right about Google's intentions, it doesn't really make it any less palatable to me however. I'm just ranting really. haha On Thu, Dec 8, 2011 at 10:13 AM, Pablo Ximenes pa...@ximen.es wrote: Well, I usually support adopting business models into processes that help society, so I would agree with you on the monetary philosophy. But the strategy here isn't (as I understand) driving pro's into the program, but getting rid of unilateral vuln disclosures that happen mostly without direct monetary compensation. So, I thing Google's program is directed to those that already are willing to gain no money for their work in disclosing vulns. Again, this is just my point of view. 2011/12/8 Charles Morris cmor...@cs.odu.edu Granted, but I know that vulnerability research can take a huge chunk of time out of a person's life, and without getting in to monetary philosophy, I feel that in our current system, a person should be compensated for their time if they've done something useful for society. That's sort of the point of the way we use money. On Thu, Dec 8, 2011 at 10:03 AM, Pablo Ximenes pa...@ximen.es wrote: I think the reward is intended as a symbolic token of appreciation, and not as compensation. That's why they give you the option to donate your cash reward instead of keeping the money. I think what really drives researchers into Google's program is recognition and not compensation, IMHO. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Granted, but I know that vulnerability research can take a huge chunk of time out of a person's life, and without getting in to monetary philosophy, I feel that in our current system, a person should be compensated for their time if they've done something useful for society. Is this an existential discussion now?:-) As the world is structured today, you are not automatically entitled to compensation because you are doing something that, in your opinion, helps the world. That said, you can often find other people who share your sentiment, and are willing to support your cause. As it happens, Google has a vulnerability reward programs that rewards the effort of external security researchers with rewards typically ranging from $500 to $3133.7 per bug. There are contributors earning a decent living off of this program alone. You may view it cynically, but the reason for having it isn't to suppress non-compliant disclosure, but just to make the Internet a safer place - and to compensate people in function of the difficulty of finding a flaw, and the utility of that finding. The problem resulted in a *huge* spike of privately reported vulnerabilities that nobody would be even bothered to try to find before, and hasn't really affected the number of public disclosures much. If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or selling the flaws to a willing third party. /mz PS. I'm speaking on my own behalf, and trying to be as open as possible, so let's not make it overly political. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
2011/12/8 Michal Zalewski lcam...@coredump.cx If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or selling the flaws to a willing third party. Well, selling flaws to third parties might be considered a crime in some places, so I would be cautious with that approach. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said: 2011/12/8 Michal Zalewski lcam...@coredump.cx If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or selling the flaws to a willing third party. Well, selling flaws to third parties might be considered a crime in some places, so I would be cautious with that approach. I suspect a large portion of the people who are selling flaws to third parties are not at all concerned about whether selling the flaw is a crime, as often the bigger question is how many crimes were committed in the discovery process... pgpdf5jnqF0gT.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Good point. Makes me wonder though how many people realize that ZDi and such are third parties. On Dec 8, 2011 9:47 AM, valdis.kletni...@vt.edu wrote: On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said: 2011/12/8 Michal Zalewski lcam...@coredump.cx If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or selling the flaws to a willing third party. Well, selling flaws to third parties might be considered a crime in some places, so I would be cautious with that approach. I suspect a large portion of the people who are selling flaws to third parties are not at all concerned about whether selling the flaw is a crime, as often the bigger question is how many crimes were committed in the discovery process... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
I was assuming web vulns found in Google´s Infrastructure, and not vulnerabilities in general as I imagine Google wouldn´t condone selling vulns on their systems to the highest bidder. As far as crimes commited during the process of discovering the vuln itself, Google expressly authorizes security testing in the program: http://www.google.com/about/corporate/company/rewardprogram.html But for vulns in general, I totally agree with you. 2011/12/8 valdis.kletni...@vt.edu On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said: 2011/12/8 Michal Zalewski lcam...@coredump.cx If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or selling the flaws to a willing third party. Well, selling flaws to third parties might be considered a crime in some places, so I would be cautious with that approach. I suspect a large portion of the people who are selling flaws to third parties are not at all concerned about whether selling the flaw is a crime, as often the bigger question is how many crimes were committed in the discovery process... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
On Thu, 08 Dec 2011 16:37:57 -0300, Pablo Ximenes said: I was assuming web vulns found in Google's Infrastructure, and not vulnerabilities in general as I imagine Google wouldn't condone selling vulns on their systems to the highest bidder. There's what you don't condone, and then there's what you can't do a thing about. There's no way for Google to take any action against an under-the-table sale of an exploit... pgpm4yqt1qkwV.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Amount in labor it took to find open redirect: $1.00 Amount Google is willing to pay for undisclosed vulnerability: $500.00 The chance that most of Full-Disclosure saw Tubgirl: Priceless For everything else, there's the lulz On Thu, Dec 8, 2011 at 11:50 AM, valdis.kletni...@vt.edu wrote: On Thu, 08 Dec 2011 16:37:57 -0300, Pablo Ximenes said: I was assuming web vulns found in Google's Infrastructure, and not vulnerabilities in general as I imagine Google wouldn't condone selling vulns on their systems to the highest bidder. There's what you don't condone, and then there's what you can't do a thing about. There's no way for Google to take any action against an under-the-table sale of an exploit... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google open redirect
Problem: Google suffers from an open redirect that can be used to trick users into visiting sites not originating from google.com Example: http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca Regards suckure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm very courious to know why Google is not taking caring about Open Redirection issues. I know what Chris think about it: http://scarybeastsecurity.blogspot.com/2010/06/open-redirectors-some-sanity.html Anyway, IMHO I guess it's better and stealthier, from an attacker point of view, to use an open redirection in Google encoding the redirected domain than register ggle.com and phish his victims with that fake domain. Cheers antisnatchor secure poon wrote: Problem: Google suffers from an open redirect that can be used to trick users into visiting sites not originating from google.com Example: http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca Regards suckure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO371zAAoJEBgl8Z+oSxe4klAIAI0wfyCe4UBzQscTxucsXX4g D2mbXwhn39r0mqYii86wlLe0U68rM7qXaFo9Y2ivXq+Q9ol1t3OZ/mjisPKAzYpu 98znH6kjoOKR9Rhbo4/FMGrdxCZaRGw+l0GOyF1J7ZHxz0SpwIKcik9XSbeEcFwk 5oMZQN3nxYkNL7BSeCzlfCQ5KqzmBSI6J7Xnp+bl7F83BBcE9TCgriKt4iSjSwe5 Jbm/rd203r1EbA3YbfT0UCdihHjZVMDm3C9JPlUHZOeNxfpHmqkL2sKr90QF+Pvx TEuNxwDp0pcnVngNW5dIcMNihrwZ6qPLCYw9bbwkTYXaSCBqFAFadOcYF/Oqft0= =huaT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
secure poon wrote: Problem: Google suffers from an open redirect that can be used to trick users into visiting sites not originating from google.com No -- the real problem here is that Google never learns from these... Example: http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca Just like all the ones that came before and all the new ones some or other moron at Google will devise tomorrow, next Wednesday, etc, etc. _Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking, ensuring they are not _open_ redirectors... (And yes, that means that URL shorteners _as a group_ have no legitimate use.) Apparently Google's web developers are so stubbornly unable to absorb this simple notion that it has become company policy that officially Google does not care about open redirectors: http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection Notice they do not distinguish between URL redirectors (almost necessary in many website designs, including their own) and _open_ redirectors (the work of ignorant web designers who do not care about the reputation of their site/brand/etc). I'd have thought that good sites (i.e. non-evil ones) would be expected to not want their reputation sullied by the kind of trivially prevented reputation abuse that _open_ URL redirectors provide. But we are talking about Google... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
_Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking There are decent solutions to lock down some classes of open redirectors (and replace others with direct linking), but Referer checking isn't one of them. It has several subtle problems that render it largely useless in real-world apps. There are also some classes of redirection / content proxying problems that you can't quite eliminate until you give up on offering certain functionality to users (e.g. page translation, cached document views, embeddable iframe gadgets) - and that's actually an interesting conceptual struggle. Apparently Google's web developers are so stubbornly unable to absorb this simple notion that it has become company policy that officially Google does not care about open redirectors: http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection I actually wrote that bit, and as far as I remember, it's not a half-assed attempt to justify incompetence ;-) We have a vulnerability reward program, and it's just about not paying $500 for reports of that vulnerability - along with not paying for many other minimal-risk problems such as path disclosure. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
As for minimal risk I personally don't agree. I have leveraged Unvalidated URL Redirections in the past to attack clients of sites all the time. It's highly trivial to point to a site with a metasploit browser bug patiently waiting and amass quite a large number of sessions in a short period of time should your spam campaign be efficient and actually draw users to the vulnerable site. Just like with XSS, being able to drive clients from one site to another is a huge security risk, not for the company, but for the clients of that company which will quickly point fingers at the company for putting them at risk in the first place and while I agree that the researcher shouldn't get paid the full 500 bucks some sort of compensation for keeping Google's ass out of the fire should be presented to the researcher; even if it's just a friggen $100 Adwords coupon to help the researcher drive traffic to their site at the very least. In the end, until someone leverages one of these vulnerabilities in a large company and pisses off a lot of clients and causes the media to go after the company, I don't see many product vendors or large websites giving two shits about vulnerabilities such as this which is both sad and a fact of life. Cheers, connection HackTalk Security - Security From The Underground On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski lcam...@coredump.cxwrote: _Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking There are decent solutions to lock down some classes of open redirectors (and replace others with direct linking), but Referer checking isn't one of them. It has several subtle problems that render it largely useless in real-world apps. There are also some classes of redirection / content proxying problems that you can't quite eliminate until you give up on offering certain functionality to users (e.g. page translation, cached document views, embeddable iframe gadgets) - and that's actually an interesting conceptual struggle. Apparently Google's web developers are so stubbornly unable to absorb this simple notion that it has become company policy that officially Google does not care about open redirectors: http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection I actually wrote that bit, and as far as I remember, it's not a half-assed attempt to justify incompetence ;-) We have a vulnerability reward program, and it's just about not paying $500 for reports of that vulnerability - along with not paying for many other minimal-risk problems such as path disclosure. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
As for minimal risk I personally don't agree. I have leveraged Unvalidated URL Redirections in the past to attack clients of sites all the time. It's highly trivial to point to a site with a metasploit browser bug patiently waiting and amass quite a large number of sessions in a short period of time should your spam campaign be efficient and actually draw users to the vulnerable site. The problem is that the current contents of the address bar are about the only security indicator you have in the browser. It's unfortunate, and many users don't truly grasp this; and even if they do, they don't understand the intricacies of the URL syntax - but still, that's what we have to live with. The security community should try to fix this huge problem - but the progress on this and many other fundamental challenges in browser security is often hindered by the dynamics of vendor-researcher interactions. For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web application can do to save you: you are just at a significant risk wherever you go. If you take away open redirectors, a myriad of other, comparable ways to fool you remain, and can't be fixed easily. For example: did you know that if you click on a link from coredump.cx to microsoft.com and it opens in a new window, then a second or two later, that coredump.cx in the background can change the URL of the microsoft.com window, and point it to evil.com? Heck, coredump.cx can even wait until you navigate further down the microsoft.com website - and detect that event programmatically. That behavior is enshrined within the current design of the same-origin policy, and browser vendors seem hesitant to touch it. I posted a brief rant about it about two years ago: http://lcamtuf.blogspot.com/2010/04/address-bar-and-sea-of-darkness.html I've been in the community for a while, and I hope it goes without saying that I'm not here to be a mouthpiece for my current employer; I just genuinely think it's a complicated problem, and we need to pick our battles carefully. Redirectors are not particularly desirable, but the big picture is less obvious than it seems. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/