Re: [Full-disclosure] Google open redirect

2011-12-13 Thread Marsh Ray
On 12/10/2011 06:20 AM, Tavis Ormandy wrote: I'm not sure I understand whether you're saying that vendors need to make users expectations match reality, A. The vendor, through their UI, needs to set users' expectations properly. B. The actual security of the user needs to live up to what is

Re: [Full-disclosure] Google open redirect

2011-12-13 Thread Tavis Ormandy
Marsh Ray ma...@extendedsubset.com wrote: But now if we successfully convince every developer on the planet to stop using HTTP redirection, that doesn't change that the user doesnt know how to determine if the URL is trusted or not, so we just use one of dozens of other simple tricks.

Re: [Full-disclosure] Google open redirect

2011-12-12 Thread Charles Morris
Just quickly I digress; this is a massive problem in the mindset of many. They won't ever learn about something if they aren't ever made aware of it. Say, by fixing the problem... I have seen the most users don't understand X anyway as an argument against fixing X in the browser several

Re: [Full-disclosure] Google open redirect

2011-12-11 Thread Marsh Ray
On 12/09/2011 03:16 PM, valdis.kletni...@vt.edu wrote: On Fri, 09 Dec 2011 14:31:15 CST, Marsh Ray said: They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the

Re: [Full-disclosure] Google open redirect

2011-12-10 Thread Tavis Ormandy
Marsh Ray ma...@extendedsubset.com wrote: On 12/08/2011 12:37 AM, Michal Zalewski wrote: For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting

Re: [Full-disclosure] Google open redirect

2011-12-09 Thread Marsh Ray
On 12/08/2011 12:37 AM, Michal Zalewski wrote: For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web

Re: [Full-disclosure] Google open redirect

2011-12-09 Thread Michal Zalewski
They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Sure. And that group is sort of safe when faced with open redirectors,

Re: [Full-disclosure] Google open redirect

2011-12-09 Thread Valdis . Kletnieks
On Fri, 09 Dec 2011 14:31:15 CST, Marsh Ray said: They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Did you mean

Re: [Full-disclosure] Google open redirect

2011-12-09 Thread Dave
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/12/2011 20:31, Marsh Ray wrote: On 12/08/2011 12:37 AM, Michal Zalewski wrote: For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Michal Zalewski
For example: did you know that if you click on a link from coredump.cx to microsoft.com and it opens in a new window, then a second or two later, that coredump.cx in the background can change the URL of the microsoft.com window, and point it to evil.com? Heck, coredump.cx can even wait until

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Dave
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/12/2011 09:13, Michal Zalewski wrote: For example: did you know that if you click on a link from coredump.cx to microsoft.com and it opens in a new window, then a second or two later, that coredump.cx in the background can change the URL of

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Michal Zalewski
I run with no script. So the links showed on the initial pages and when clicked. Yes, well, congrats ;-) /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Tavis Ormandy
Nick FitzGerald n...@virus-l.demon.co.uk wrote: _Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking, ensuring they are not _open_

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Charles Morris
Michal/Google, IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open redirect, researchers with bills can't make a living like that.. although it might? be okay for students. How many Google vulnerabilities per month are there expected to be?

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Benji
Sorry, you think people should be making a living off reporting open redirect disclosure? On Thu, Dec 8, 2011 at 2:53 PM, Charles Morris cmor...@cs.odu.edu wrote: Michal/Google, IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Charles Morris
Don't be strange, was I not specific enough? I think people should be encouraged to do the work, if they are good enough to find something that nobody else has noticed yet- and all of these cash for bugs programs have me a bit annoyed. Not offering the money for issues that they claim to offer

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Benji
IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open redirect, researchers with bills can't make a living like that.. although it might? be okay for students. I wasn't being strange, you pretty much implied it. On Thu, Dec 8, 2011 at 3:03 PM,

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Charles Morris
pretty much nearly almost implying and implying are very different things. On Thu, Dec 8, 2011 at 10:05 AM, Benji m...@b3nji.com wrote: IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open redirect, researchers with bills can't make a living

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Pablo Ximenes
Well, I usually support adopting business models into processes that help society, so I would agree with you on the monetary philosophy. But the strategy here isn't (as I understand) driving pro's into the program, but getting rid of unilateral vuln disclosures that happen mostly without direct

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Pablo Ximenes
I think the reward is intended as a symbolic token of appreciation, and not as compensation. That's why they give you the option to donate your cash reward instead of keeping the money. I think what really drives researchers into Google's program is recognition and not compensation, IMHO.

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Charles Morris
I'm sure you are right about Google's intentions, it doesn't really make it any less palatable to me however. I'm just ranting really. haha On Thu, Dec 8, 2011 at 10:13 AM, Pablo Ximenes pa...@ximen.es wrote: Well, I usually support adopting business models into processes that help society,

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Michal Zalewski
Granted, but I know that vulnerability research can take a huge chunk of time out of a person's life, and without getting in to monetary philosophy, I feel that in our current system, a person should be compensated for their time if they've done something useful for society. Is this an

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Pablo Ximenes
2011/12/8 Michal Zalewski lcam...@coredump.cx If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or selling the flaws to a willing third party. Well, selling

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Valdis . Kletnieks
On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said: 2011/12/8 Michal Zalewski lcam...@coredump.cx If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Gage Bystrom
Good point. Makes me wonder though how many people realize that ZDi and such are third parties. On Dec 8, 2011 9:47 AM, valdis.kletni...@vt.edu wrote: On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said: 2011/12/8 Michal Zalewski lcam...@coredump.cx If you don't like it, let us know

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Pablo Ximenes
I was assuming web vulns found in Google´s Infrastructure, and not vulnerabilities in general as I imagine Google wouldn´t condone selling vulns on their systems to the highest bidder. As far as crimes commited during the process of discovering the vuln itself, Google expressly authorizes

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread Valdis . Kletnieks
On Thu, 08 Dec 2011 16:37:57 -0300, Pablo Ximenes said: I was assuming web vulns found in Google's Infrastructure, and not vulnerabilities in general as I imagine Google wouldn't condone selling vulns on their systems to the highest bidder. There's what you don't condone, and then there's what

Re: [Full-disclosure] Google open redirect

2011-12-08 Thread secure poon
Amount in labor it took to find open redirect: $1.00 Amount Google is willing to pay for undisclosed vulnerability: $500.00 The chance that most of Full-Disclosure saw Tubgirl: Priceless For everything else, there's the lulz On Thu, Dec 8, 2011 at 11:50 AM, valdis.kletni...@vt.edu wrote: On

[Full-disclosure] Google open redirect

2011-12-07 Thread secure poon
Problem: Google suffers from an open redirect that can be used to trick users into visiting sites not originating from google.com Example: http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com

Re: [Full-disclosure] Google open redirect

2011-12-07 Thread Michele Orru
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm very courious to know why Google is not taking caring about Open Redirection issues. I know what Chris think about it: http://scarybeastsecurity.blogspot.com/2010/06/open-redirectors-some-sanity.html Anyway, IMHO I guess it's better and

Re: [Full-disclosure] Google open redirect

2011-12-07 Thread Nick FitzGerald
secure poon wrote: Problem: Google suffers from an open redirect that can be used to trick users into visiting sites not originating from google.com No -- the real problem here is that Google never learns from these... Example:

Re: [Full-disclosure] Google open redirect

2011-12-07 Thread Michal Zalewski
_Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking There are decent solutions to lock down some classes of open redirectors (and replace

Re: [Full-disclosure] Google open redirect

2011-12-07 Thread Luis Santana
As for minimal risk I personally don't agree. I have leveraged Unvalidated URL Redirections in the past to attack clients of sites all the time. It's highly trivial to point to a site with a metasploit browser bug patiently waiting and amass quite a large number of sessions in a short period of

Re: [Full-disclosure] Google open redirect

2011-12-07 Thread Michal Zalewski
As for minimal risk I personally don't agree. I have leveraged Unvalidated URL Redirections in the past to attack clients of sites all the time. It's highly trivial to point to a site with a metasploit browser bug patiently waiting and amass quite a large number of sessions in a short period