Re: Google open redirect

[Nick FitzGerald <nick () virus-l demon co uk>]

secure poon wrote:

> Problem:
>
> Google suffers from an open redirect that can be used to trick users into
> visiting sites not originating from google.com

No -- the real problem here is that Google never learns from these...

> Example:
>
> http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com
>
> http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca

Just like all the ones that came before and all the new ones some or 
other moron at Google will devise tomorrow, next Wednesday, etc, etc.

_Open_ URL redirectors are trivially prevented by any vaguely sentient 
web developer as URL redirectors have NO legitimate use from outside 
one's own site so should ALWAYS be implemented with Referer checking, 
ensuring they are not _open_ redirectors...

(And yes, that means that URL shorteners _as a group_ have no 
legitimate use.)

Apparently Google's web developers are so stubbornly unable to absorb 
this simple notion that it has become company policy that officially 
Google does not care about open redirectors:

   http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection

Notice they do not distinguish between "URL redirectors" (almost 
necessary in many website designs, including their own) and _open_ 
redirectors (the work of ignorant web designers who do not care about 
the reputation of their site/brand/etc).  I'd have thought that "good 
sites" (i.e. "non-evil" ones) would be expected to not want their 
reputation sullied by the kind of trivially prevented reputation abuse 
that _open_ URL redirectors provide.

But we are talking about Google...



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/