Re: Google open redirect

[Michele Orru <antisnatchor () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm very courious to know why Google is not taking caring about Open
Redirection issues.

I know what Chris think about it:
http://scarybeastsecurity.blogspot.com/2010/06/open-redirectors-some-sanity.html

Anyway, IMHO I guess it's better and stealthier, from an attacker point
of view, to use an open redirection in Google encoding the redirected
domain than register goooogle.com and phish his victims with that fake
domain.

Cheers
antisnatchor

secure poon wrote:
> Problem:
>
> Google suffers from an open redirect that can be used to trick users into
> visiting sites not originating from google.com
>
> Example:
>
> http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com
>
> http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca
>
> Regards
> suckure
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO371zAAoJEBgl8Z+oSxe4klAIAI0wfyCe4UBzQscTxucsXX4g
D2mbXwhn39r0mqYii86wlLe0U68rM7qXaFo9Y2ivXq+Q9ol1t3OZ/mjisPKAzYpu
98znH6kjoOKR9Rhbo4/FMGrdxCZaRGw+l0GOyF1J7ZHxz0SpwIKcik9XSbeEcFwk
5oMZQN3nxYkNL7BSeCzlfCQ5KqzmBSI6J7Xnp+bl7F83BBcE9TCgriKt4iSjSwe5
Jbm/rd203r1EbA3YbfT0UCdihHjZVMDm3C9JPlUHZOeNxfpHmqkL2sKr90QF+Pvx
TEuNxwDp0pcnVngNW5dIcMNihrwZ6qPLCYw9bbwkTYXaSCBqFAFadOcYF/Oqft0=
=huaT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/