Marsh Ray wrote:
> > But now if we successfully convince every developer on the planet to
> > stop using HTTP redirection, that doesn't change that the user doesnt
> > know how to determine if the URL is trusted or not, so we just use one
> > of dozens of other simple tricks.
> >
> > Surely the co
On 12/10/2011 06:20 AM, Tavis Ormandy wrote:
>
> I'm not sure I understand whether you're saying that vendors need to make
> users expectations match reality,
A. The vendor, through their UI, needs to set users' expectations properly.
B. The actual security of the user needs to live up to what is
Just quickly I digress; this is a massive problem in the mindset of many.
They won't ever learn about something if they aren't ever made aware of it.
Say, by fixing the problem...
>
> I have seen the "most users don't understand X anyway" as an argument
> against fixing X in the browser several
On 12/09/2011 03:16 PM, valdis.kletni...@vt.edu wrote:
> On Fri, 09 Dec 2011 14:31:15 CST, Marsh Ray said:
>
>> They may be in the minority, but there *are* users out there who know
>> how to look at the address bar. The security researcher knows this
>> because he is one of them. I call this group
Marsh Ray wrote:
> On 12/08/2011 12:37 AM, Michal Zalewski wrote:
> >
> > For time being, if you make security decisions based on onmouseover
> > tooltips, link text, or anything along these lines, and do not examine
> > the address bar of the site you are ultimately interacting with, there
> > i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/12/2011 20:31, Marsh Ray wrote:
> On 12/08/2011 12:37 AM, Michal Zalewski wrote:
>>
>> For time being, if you make security decisions based on onmouseover
>> tooltips, link text, or anything along these lines, and do not examine
>> the address ba
On Fri, 09 Dec 2011 14:31:15 CST, Marsh Ray said:
> They may be in the minority, but there *are* users out there who know
> how to look at the address bar. The security researcher knows this
> because he is one of them. I call this group the "competent and
> contentious users".
Did you mean "cont
> They may be in the minority, but there *are* users out there who know how to
> look at the address bar. The security researcher knows this because he is
> one of them. I call this group the "competent and contentious users".
Sure. And that group is sort of safe when faced with open redirectors,
On 12/08/2011 12:37 AM, Michal Zalewski wrote:
>
> For time being, if you make security decisions based on onmouseover
> tooltips, link text, or anything along these lines, and do not examine
> the address bar of the site you are ultimately interacting with, there
> is very little any particular we
Amount in labor it took to find open redirect: $1.00
Amount Google is willing to pay for undisclosed vulnerability: $500.00
The chance that most of Full-Disclosure saw Tubgirl: Priceless
For everything else, there's the lulz
On Thu, Dec 8, 2011 at 11:50 AM, wrote:
> On Thu, 08 Dec 2011 16:37
On Thu, 08 Dec 2011 16:37:57 -0300, Pablo Ximenes said:
> I was assuming web vulns found in Google's Infrastructure, and not
> vulnerabilities in general as I imagine Google wouldn't condone selling
> vulns on their systems to the highest bidder.
There's what you don't condone, and then there's wh
I was assuming web vulns found in Google´s Infrastructure, and not
vulnerabilities in general as I imagine Google wouldn´t condone selling
vulns on their systems to the highest bidder.
As far as crimes commited during the process of discovering the vuln
itself, Google expressly authorizes security
Good point.
Makes me wonder though how many people realize that ZDi and such are third
parties.
On Dec 8, 2011 9:47 AM, wrote:
> On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said:
> > 2011/12/8 Michal Zalewski
> > > If you don't like it, let us know how to improve it. You also always
>
On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said:
> 2011/12/8 Michal Zalewski
> > If you don't like it, let us know how to improve it. You also always
> > have the option of not researching vulnerabilities in these platforms;
> > going with the full-disclosure approach; or selling the flaws
2011/12/8 Michal Zalewski
>
> If you don't like it, let us know how to improve it. You also always
> have the option of not researching vulnerabilities in these platforms;
> going with the full-disclosure approach; or selling the flaws to a
> willing third party.
>
>
Well, selling flaws to third
> Granted, but I know that vulnerability research can take a huge chunk
> of time out of a person's life, and without getting in to "monetary
> philosophy",
> I feel that in our current system, a person should be compensated for their
> time if they've done something useful for society.
Is this a
I'm sure you are right about Google's intentions, it doesn't really
make it any less palatable to me however.
I'm just ranting really. haha
On Thu, Dec 8, 2011 at 10:13 AM, Pablo Ximenes wrote:
> Well, I usually support adopting business models into processes that help
> society, so I would agr
I think the reward is intended as a symbolic token of appreciation, and not
as compensation. That's why they give you the option to donate your cash
reward instead of keeping the money. I think what really drives researchers
into Google's program is recognition and not compensation, IMHO.
2011/1
Well, I usually support adopting business models into processes that help
society, so I would agree with you on the "monetary philosophy".
But the strategy here isn't (as I understand) driving pro's into the
program, but getting rid of unilateral vuln disclosures that happen mostly
without direct
"pretty much nearly almost implying" and "implying" are very different things.
On Thu, Dec 8, 2011 at 10:05 AM, Benji wrote:
>>>IMHO, 500$ is an incredibly minute amount to give even for a error
>>>message information disclosure/an open redirect,
>>>researchers with bills can't make a living like
Granted, but I know that vulnerability research can take a huge chunk
of time out of a person's life,
and without getting in to "monetary philosophy", I feel that in our
current system, a person should
be compensated for their time if they've done something useful for society.
That's sort of the po
>>IMHO, 500$ is an incredibly minute amount to give even for a error
>>message information disclosure/an open redirect,
>>researchers with bills can't make a living like that.. although it
>>might? be okay for students.
I wasn't being "strange", you pretty much implied it.
On Thu, Dec 8, 2011 at
Don't be strange, was I not specific enough?
I think people should be encouraged to do the work,
if they are good enough to find something that nobody else has noticed yet-
and all of these "cash for bugs" programs have me a bit annoyed.
Not offering the money for issues that they claim to offer
Sorry, you think people should be making a living off reporting open
redirect disclosure?
On Thu, Dec 8, 2011 at 2:53 PM, Charles Morris wrote:
> Michal/Google,
>
> IMHO, 500$ is an incredibly minute amount to give even for a error
> message information disclosure/an open redirect,
> researchers
Michal/Google,
IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living like that.. although it
might? be okay for students.
How many Google vulnerabilities per month are there expected to be?
Gr
Nick FitzGerald wrote:
> _Open_ URL redirectors are trivially prevented by any vaguely sentient web
> developer as URL redirectors have NO legitimate use from outside one's own
> site so should ALWAYS be implemented with Referer checking, ensuring they
> are not _open_ redirectors...
>
Although
> I run with no script. So the links showed on the initial pages and when
> clicked.
Yes, well, congrats ;-)
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - h
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/12/2011 09:13, Michal Zalewski wrote:
>> For example: did you know that if you click on a link from coredump.cx
>> to microsoft.com and it opens in a new window, then a second or two
>> later, that coredump.cx in the background can change the URL
> For example: did you know that if you click on a link from coredump.cx
> to microsoft.com and it opens in a new window, then a second or two
> later, that coredump.cx in the background can change the URL of the
> microsoft.com window, and point it to evil.com? Heck, coredump.cx can
> even wait un
> As for minimal risk I personally don't agree. I have leveraged Unvalidated
> URL Redirections in the past to attack clients of sites all the time. It's
> highly trivial to point to a site with a metasploit browser bug patiently
> waiting and amass quite a large number of sessions in a short perio
As for minimal risk I personally don't agree. I have leveraged Unvalidated
URL Redirections in the past to attack clients of sites all the time. It's
highly trivial to point to a site with a metasploit browser bug patiently
waiting and amass quite a large number of sessions in a short period of
tim
> _Open_ URL redirectors are trivially prevented by any vaguely sentient
> web developer as URL redirectors have NO legitimate use from outside
> one's own site so should ALWAYS be implemented with Referer checking
There are decent solutions to lock down some classes of open
redirectors (and repla
secure poon wrote:
> Problem:
>
> Google suffers from an open redirect that can be used to trick users into
> visiting sites not originating from google.com
No -- the real problem here is that Google never learns from these...
> Example:
>
> http://www.google.com/local/add/changeLocale?current
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm very courious to know why Google is not taking caring about Open
Redirection issues.
I know what Chris think about it:
http://scarybeastsecurity.blogspot.com/2010/06/open-redirectors-some-sanity.html
Anyway, IMHO I guess it's better and stealthie
Problem:
Google suffers from an open redirect that can be used to trick users into
visiting sites not originating from google.com
Example:
http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com
http://www.google.com/local/add/changeLocale?currentLocation=http://www.tub
35 matches
Mail list logo