[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Google open redirect

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Google open redirect
From: Dave <mrx@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Dec 2011 09:34:49 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/12/2011 09:13, Michal Zalewski wrote:
>> For example: did you know that if you click on a link from coredump.cx
>> to microsoft.com and it opens in a new window, then a second or two
>> later, that coredump.cx in the background can change the URL of the
>> microsoft.com window, and point it to evil.com? Heck, coredump.cx can
>> even wait until you navigate further down the microsoft.com website -
>> and detect that event programmatically. That behavior is enshrined
>> within the current design of the same-origin policy, and browser
>> vendors seem hesitant to touch it.
> 
> Here's a tiny PoC:
> http://lcamtuf.coredump.cx/switch/
> 
> /mz

I run with no script. So the links showed on the initial pages and when 
clicked. The same address as the links appeared in the address bar when
I clicked the links.

Running with scripting enabled and clicking the do it button caused this to 
appear in the address bar: "data:text/html;np.cx/beaver/"

I do online banking and being paranoid I do check the address bar and look for 
https and the "verified by: VeriSign, Inc" popup when mouse over
the domain. If anything even slightly suspicious occurs when connecting to my 
banking logon I will inspect the certificate and may even examine
the page source depending on how suspicious I am that my bookmarks may have 
been compromised or the page is not what I expect it to be.

Obviously many users are not this paranoid else wise phishing would not be as 
successful as it is.

Dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTuCEubIvn8UFHWSmAQKN2wgAjMe2BOEo2sSetsfhnEGBGzTjtaW9RYsq
eXyYVHOp8gkt9xkvoob4sjK1LV5zuM43qaP2s3TGcQrsx1A3Aqho+C1NuHP70y2f
5E9l8Y4dibifoERzal8yDjBEMJKqi7fbHuYkWz4xrBFyX9fz8GhZbsGI2Sef5621
Df99Ro6jRGfPqMhFcCQLwgudwdz8BDTBIyoYofpqH29su11mOOWvsRieBEfIcYM8
ENnJ8hsBrYy4f9a4b8KNfe6bukiHkIhaH5Td1r/HIxFiUkphAbmXtU7BD3mfo0Cs
gvLr8ePOHVCHPUo5hiYhA1nhHRrKDqvpd7D6IvE7BgsqMhrhlYN41Q==
=BX4Q
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Google open redirect
  - From: Michal Zalewski

References:
- [Full-disclosure] Google open redirect
  - From: secure poon
- Re: [Full-disclosure] Google open redirect
  - From: Nick FitzGerald
- Re: [Full-disclosure] Google open redirect
  - From: Michal Zalewski
- Re: [Full-disclosure] Google open redirect
  - From: Luis Santana
- Re: [Full-disclosure] Google open redirect
  - From: Michal Zalewski
- Re: [Full-disclosure] Google open redirect
  - From: Michal Zalewski

Prev by Date: Re: [Full-disclosure] Google open redirect
Next by Date: Re: [Full-disclosure] Google open redirect
Previous by thread: Re: [Full-disclosure] Google open redirect
Next by thread: Re: [Full-disclosure] Google open redirect
Index(es):
- Date
- Thread