WebApp Sec mailing list archives

Re: XSS?

From: Pilon Mntry <pilonmntry () yahoo com>
Date: Tue, 15 Nov 2005 07:07:58 -0800 (PST)


We've been getting the same fake messages (phishing
e-mails) over the past 3-4 months and ,(for this)
unfortunately, people trust "www.google.xyz" domain
name...
I'm not really sure who to blame but the interesting
issue is: what google can do about it? 
Validating is good, however, with the "I'm feeling
lucky" service validation doesn't really scale well.

I haven't really thought about any sophisticated
answers, but it seems any other solution would be a
moderate performance hit for google. (don't get me
wrong, tough, I'm not saying performance has higher
priority here)


--- Aman Raheja <araheja () techquotes com> wrote:

This is not XSS but indeed a vulnerability since
they are not validating 
the URL and it's irresponsible of google not to take
care of this kind of 
vulnerability which would aid phishing.

Aman Raheja
http://www.techquotes.com

On Tue, 15 Nov 2005 11:52:19 +0800, Andrew Chan
<quickt () gmail com> wrote :

I tried

http://www.google.com/url?q=http://www.microsoft.com
and it got

directed. it seems that I received one such

phishing email that makes

use of this to obfuscate the actual URL lately.




        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

Current thread:

XSS? Andrew Chan (Nov 15)
- Re: XSS? Tom Gallagher (Nov 15)
- <Possible follow-ups>
- Re: XSS? Aman Raheja (Nov 15)
  - Re: XSS? Serg B. (Nov 15)
    - Re: XSS? Aman Raheja (Nov 17)
    - Re: XSS? Serg Belokamen (Nov 17)
    - Re: XSS? Andrew Chan (Nov 18)
  - Re: XSS? Pilon Mntry (Nov 15)
- RE: XSS? Matt Fisher (Nov 30)