Re: Google open redirect

[Michal Zalewski <lcamtuf () coredump cx>]

> As for minimal risk I personally don't agree. I have leveraged Unvalidated
> URL Redirections in the past to attack clients of sites all the time. It's
> highly trivial to point to a site with a metasploit browser bug patiently
> waiting and amass quite a large number of sessions in a short period of time
> should your spam campaign be efficient and actually draw users to the
> vulnerable site.

The problem is that the current contents of the address bar are about
the only security indicator you have in the browser. It's unfortunate,
and many users don't truly grasp this; and even if they do, they don't
understand the intricacies of the URL syntax - but still, that's what
we have to live with. The security community should try to fix this
huge problem - but the progress on this and many other fundamental
challenges in browser security is often hindered by the dynamics of
vendor-researcher interactions.

For time being, if you make security decisions based on onmouseover
tooltips, link text, or anything along these lines, and do not examine
the address bar of the site you are ultimately interacting with, there
is very little any particular web application can do to save you: you
are just at a significant risk wherever you go. If you take away open
redirectors, a myriad of other, comparable ways to fool you remain,
and can't be fixed easily.

For example: did you know that if you click on a link from coredump.cx
to microsoft.com and it opens in a new window, then a second or two
later, that coredump.cx in the background can change the URL of the
microsoft.com window, and point it to evil.com? Heck, coredump.cx can
even wait until you navigate further down the microsoft.com website -
and detect that event programmatically. That behavior is enshrined
within the current design of the same-origin policy, and browser
vendors seem hesitant to touch it.

I posted a brief rant about it about two years ago:

http://lcamtuf.blogspot.com/2010/04/address-bar-and-sea-of-darkness.html

I've been in the community for a while, and I hope it goes without
saying that I'm not here to be a mouthpiece for my current employer; I
just genuinely think it's a complicated problem, and we need to pick
our battles carefully. Redirectors are not particularly desirable, but
the big picture is less obvious than it seems.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/