[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Google open redirect

To: Marsh Ray <marsh@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Google open redirect
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Fri, 9 Dec 2011 12:54:29 -0800

> They may be in the minority, but there *are* users out there who know how to
> look at the address bar. The security researcher knows this because he is
> one of them. I call this group the "competent and contentious users".

Sure. And that group is sort of safe when faced with open redirectors,
mouseover tooltips, etc - well, modulo funny corner cases like this:

http://lcamtuf.coredump.cx/switch/

...or:

http://lcamtuf.coredump.cx/switch/index2.html

I have seen the "most users don't understand X anyway" as an argument
against fixing X in the browser several times before, and I think
that's wrong; but I'm not sure this is applicable here.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Google open redirect
  - From: Charles Morris

References:
- [Full-disclosure] Google open redirect
  - From: secure poon
- Re: [Full-disclosure] Google open redirect
  - From: Nick FitzGerald
- Re: [Full-disclosure] Google open redirect
  - From: Michal Zalewski
- Re: [Full-disclosure] Google open redirect
  - From: Luis Santana
- Re: [Full-disclosure] Google open redirect
  - From: Michal Zalewski
- Re: [Full-disclosure] Google open redirect
  - From: Marsh Ray

Prev by Date: Re: [Full-disclosure] Minimum Syslog Level Needed for Court Trial
Next by Date: Re: [Full-disclosure] Google open redirect
Previous by thread: Re: [Full-disclosure] Google open redirect
Next by thread: Re: [Full-disclosure] Google open redirect
Index(es):
- Date
- Thread