Re: Google open redirect

[Michal Zalewski <lcamtuf () coredump cx>]

> _Open_ URL redirectors are trivially prevented by any vaguely sentient
> web developer as URL redirectors have NO legitimate use from outside
> one's own site so should ALWAYS be implemented with Referer checking

There are decent solutions to lock down some classes of open
redirectors (and replace others with direct linking), but "Referer"
checking isn't one of them. It has several subtle problems that render
it largely useless in real-world apps.

There are also some classes of redirection / content proxying problems
that you can't quite eliminate until you give up on offering certain
functionality to users (e.g. page translation, cached document views,
embeddable <iframe> gadgets) - and that's actually an interesting
conceptual struggle.

> Apparently Google's web developers are so stubbornly unable to absorb
> this simple notion that it has become company policy that officially
> Google does not care about open redirectors:
>
>   http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection

I actually wrote that bit, and as far as I remember, it's not a
half-assed attempt to justify incompetence ;-)

We have a vulnerability reward program, and it's just about not paying
$500 for reports of that vulnerability - along with not paying for
many other minimal-risk problems such as path disclosure.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/