On 12/10/2011 06:20 AM, Tavis Ormandy wrote:
I'm not sure I understand whether you're saying that vendors need to make
users expectations match reality,
A. The vendor, through their UI, needs to set users' expectations properly.
B. The actual security of the user needs to live up to what is
Marsh Ray ma...@extendedsubset.com wrote:
But now if we successfully convince every developer on the planet to
stop using HTTP redirection, that doesn't change that the user doesnt
know how to determine if the URL is trusted or not, so we just use one
of dozens of other simple tricks.
Just quickly I digress; this is a massive problem in the mindset of many.
They won't ever learn about something if they aren't ever made aware of it.
Say, by fixing the problem...
I have seen the most users don't understand X anyway as an argument
against fixing X in the browser several
On 12/09/2011 03:16 PM, valdis.kletni...@vt.edu wrote:
On Fri, 09 Dec 2011 14:31:15 CST, Marsh Ray said:
They may be in the minority, but there *are* users out there who know
how to look at the address bar. The security researcher knows this
because he is one of them. I call this group the
Marsh Ray ma...@extendedsubset.com wrote:
On 12/08/2011 12:37 AM, Michal Zalewski wrote:
For time being, if you make security decisions based on onmouseover
tooltips, link text, or anything along these lines, and do not examine
the address bar of the site you are ultimately interacting
On 12/08/2011 12:37 AM, Michal Zalewski wrote:
For time being, if you make security decisions based on onmouseover
tooltips, link text, or anything along these lines, and do not examine
the address bar of the site you are ultimately interacting with, there
is very little any particular web
They may be in the minority, but there *are* users out there who know how to
look at the address bar. The security researcher knows this because he is
one of them. I call this group the competent and contentious users.
Sure. And that group is sort of safe when faced with open redirectors,
On Fri, 09 Dec 2011 14:31:15 CST, Marsh Ray said:
They may be in the minority, but there *are* users out there who know
how to look at the address bar. The security researcher knows this
because he is one of them. I call this group the competent and
contentious users.
Did you mean
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/12/2011 20:31, Marsh Ray wrote:
On 12/08/2011 12:37 AM, Michal Zalewski wrote:
For time being, if you make security decisions based on onmouseover
tooltips, link text, or anything along these lines, and do not examine
the address bar of the
For example: did you know that if you click on a link from coredump.cx
to microsoft.com and it opens in a new window, then a second or two
later, that coredump.cx in the background can change the URL of the
microsoft.com window, and point it to evil.com? Heck, coredump.cx can
even wait until
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/12/2011 09:13, Michal Zalewski wrote:
For example: did you know that if you click on a link from coredump.cx
to microsoft.com and it opens in a new window, then a second or two
later, that coredump.cx in the background can change the URL of
I run with no script. So the links showed on the initial pages and when
clicked.
Yes, well, congrats ;-)
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
Nick FitzGerald n...@virus-l.demon.co.uk wrote:
_Open_ URL redirectors are trivially prevented by any vaguely sentient web
developer as URL redirectors have NO legitimate use from outside one's own
site so should ALWAYS be implemented with Referer checking, ensuring they
are not _open_
Michal/Google,
IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living like that.. although it
might? be okay for students.
How many Google vulnerabilities per month are there expected to be?
Sorry, you think people should be making a living off reporting open
redirect disclosure?
On Thu, Dec 8, 2011 at 2:53 PM, Charles Morris cmor...@cs.odu.edu wrote:
Michal/Google,
IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open
Don't be strange, was I not specific enough?
I think people should be encouraged to do the work,
if they are good enough to find something that nobody else has noticed yet-
and all of these cash for bugs programs have me a bit annoyed.
Not offering the money for issues that they claim to offer
IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living like that.. although it
might? be okay for students.
I wasn't being strange, you pretty much implied it.
On Thu, Dec 8, 2011 at 3:03 PM,
pretty much nearly almost implying and implying are very different things.
On Thu, Dec 8, 2011 at 10:05 AM, Benji m...@b3nji.com wrote:
IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living
Well, I usually support adopting business models into processes that help
society, so I would agree with you on the monetary philosophy.
But the strategy here isn't (as I understand) driving pro's into the
program, but getting rid of unilateral vuln disclosures that happen mostly
without direct
I think the reward is intended as a symbolic token of appreciation, and not
as compensation. That's why they give you the option to donate your cash
reward instead of keeping the money. I think what really drives researchers
into Google's program is recognition and not compensation, IMHO.
I'm sure you are right about Google's intentions, it doesn't really
make it any less palatable to me however.
I'm just ranting really. haha
On Thu, Dec 8, 2011 at 10:13 AM, Pablo Ximenes pa...@ximen.es wrote:
Well, I usually support adopting business models into processes that help
society,
Granted, but I know that vulnerability research can take a huge chunk
of time out of a person's life, and without getting in to monetary
philosophy,
I feel that in our current system, a person should be compensated for their
time if they've done something useful for society.
Is this an
2011/12/8 Michal Zalewski lcam...@coredump.cx
If you don't like it, let us know how to improve it. You also always
have the option of not researching vulnerabilities in these platforms;
going with the full-disclosure approach; or selling the flaws to a
willing third party.
Well, selling
On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said:
2011/12/8 Michal Zalewski lcam...@coredump.cx
If you don't like it, let us know how to improve it. You also always
have the option of not researching vulnerabilities in these platforms;
going with the full-disclosure approach; or
Good point.
Makes me wonder though how many people realize that ZDi and such are third
parties.
On Dec 8, 2011 9:47 AM, valdis.kletni...@vt.edu wrote:
On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said:
2011/12/8 Michal Zalewski lcam...@coredump.cx
If you don't like it, let us know
I was assuming web vulns found in Google´s Infrastructure, and not
vulnerabilities in general as I imagine Google wouldn´t condone selling
vulns on their systems to the highest bidder.
As far as crimes commited during the process of discovering the vuln
itself, Google expressly authorizes
On Thu, 08 Dec 2011 16:37:57 -0300, Pablo Ximenes said:
I was assuming web vulns found in Google's Infrastructure, and not
vulnerabilities in general as I imagine Google wouldn't condone selling
vulns on their systems to the highest bidder.
There's what you don't condone, and then there's what
Amount in labor it took to find open redirect: $1.00
Amount Google is willing to pay for undisclosed vulnerability: $500.00
The chance that most of Full-Disclosure saw Tubgirl: Priceless
For everything else, there's the lulz
On Thu, Dec 8, 2011 at 11:50 AM, valdis.kletni...@vt.edu wrote:
On
Problem:
Google suffers from an open redirect that can be used to trick users into
visiting sites not originating from google.com
Example:
http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm very courious to know why Google is not taking caring about Open
Redirection issues.
I know what Chris think about it:
http://scarybeastsecurity.blogspot.com/2010/06/open-redirectors-some-sanity.html
Anyway, IMHO I guess it's better and
secure poon wrote:
Problem:
Google suffers from an open redirect that can be used to trick users into
visiting sites not originating from google.com
No -- the real problem here is that Google never learns from these...
Example:
_Open_ URL redirectors are trivially prevented by any vaguely sentient
web developer as URL redirectors have NO legitimate use from outside
one's own site so should ALWAYS be implemented with Referer checking
There are decent solutions to lock down some classes of open
redirectors (and replace
As for minimal risk I personally don't agree. I have leveraged Unvalidated
URL Redirections in the past to attack clients of sites all the time. It's
highly trivial to point to a site with a metasploit browser bug patiently
waiting and amass quite a large number of sessions in a short period of
As for minimal risk I personally don't agree. I have leveraged Unvalidated
URL Redirections in the past to attack clients of sites all the time. It's
highly trivial to point to a site with a metasploit browser bug patiently
waiting and amass quite a large number of sessions in a short period
34 matches
Mail list logo