Re: Google open redirect

[Michal Zalewski <lcamtuf () coredump cx>]

> They may be in the minority, but there *are* users out there who know how to
> look at the address bar. The security researcher knows this because he is
> one of them. I call this group the "competent and contentious users".

Sure. And that group is sort of safe when faced with open redirectors,
mouseover tooltips, etc - well, modulo funny corner cases like this:

http://lcamtuf.coredump.cx/switch/

...or:

http://lcamtuf.coredump.cx/switch/index2.html

I have seen the "most users don't understand X anyway" as an argument
against fixing X in the browser several times before, and I think
that's wrong; but I'm not sure this is applicable here.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/