Full Disclosure mailing list archives

Re: Google open redirect

From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Wed, 14 Dec 2011 01:29:44 +0100

Marsh Ray <marsh () extendedsubset com> wrote:

But now if we successfully convince every developer on the planet to
stop using HTTP redirection, that doesn't change that the user doesnt
know how to determine if the URL is trusted or not, so we just use one
of dozens of other simple tricks.

Surely the correct solution is to educate those users who are doing it
incorrectly.


I am in complete agreement with you.

Let's say you are a bank that has just invested in a successful
anti-phishing user education campaign. All the users have been trained to
look beneath the HTML in emails, not to accept invalid SSL certificates,
and only follow "legitimate" links that look like:

      https://*.examplebank.com/

At that point an open redirect is found under your site, such that

https://onlinebanking.examplebank.com/confirm.aspx?customerid=1234&return=http%3a%2f%2fpwn%2ely

drives the browser to the attacker's phishing site.

Does this represent a vulnerability?

- Marsh


So they've trained their users to parse and understand html, can decode
complex documents manually, and understand the difference between anchor
text and destination. They can decipher complex URLs using any of the
obscure syntax supported, and understand the heirarchichal nature of the
domain name system. They've also learned how to verify SSL certificates
without clicking on links (perhaps using openssl s_client?).

Bizarrely, they've also been convinced to never read the address bar (which
is really all they needed to do from the start instead of the hours of
training requiring them to reach this level).

Then yes, you have a vulnerability. However, it's in the criminally
negligent training material provided by the bank :-)

Tavis.

-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Google open redirect, (continued)
- - - Re: Google open redirect Dave (Dec 08)
    - Re: Google open redirect Michal Zalewski (Dec 08)
    - Re: Google open redirect Marsh Ray (Dec 09)
    - Re: Google open redirect Michal Zalewski (Dec 09)
    - Re: Google open redirect Charles Morris (Dec 12)
    - Re: Google open redirect Valdis . Kletnieks (Dec 09)
    - Re: Google open redirect Marsh Ray (Dec 11)
    - Re: Google open redirect Dave (Dec 09)
    - Re: Google open redirect Tavis Ormandy (Dec 10)
    - Re: Google open redirect Marsh Ray (Dec 13)
    - Re: Google open redirect Tavis Ormandy (Dec 13)
    - Re: Google open redirect Charles Morris (Dec 08)
    - Re: Google open redirect Benji (Dec 08)
    - Re: Google open redirect Charles Morris (Dec 08)
    - Re: Google open redirect Benji (Dec 08)
    - Re: Google open redirect Charles Morris (Dec 08)
    - Re: Google open redirect Pablo Ximenes (Dec 08)
    - Re: Google open redirect Charles Morris (Dec 08)
    - Re: Google open redirect Pablo Ximenes (Dec 08)
    - Re: Google open redirect Charles Morris (Dec 08)
    - Re: Google open redirect Michal Zalewski (Dec 08)

(Thread continues...)