secure poon wrote: > Problem: > > Google suffers from an open redirect that can be used to trick users into > visiting sites not originating from google.com
No -- the real problem here is that Google never learns from these... > Example: > > http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com > > http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca Just like all the ones that came before and all the new ones some or other moron at Google will devise tomorrow, next Wednesday, etc, etc. _Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking, ensuring they are not _open_ redirectors... (And yes, that means that URL shorteners _as a group_ have no legitimate use.) Apparently Google's web developers are so stubbornly unable to absorb this simple notion that it has become company policy that officially Google does not care about open redirectors: http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection Notice they do not distinguish between "URL redirectors" (almost necessary in many website designs, including their own) and _open_ redirectors (the work of ignorant web designers who do not care about the reputation of their site/brand/etc). I'd have thought that "good sites" (i.e. "non-evil" ones) would be expected to not want their reputation sullied by the kind of trivially prevented reputation abuse that _open_ URL redirectors provide. But we are talking about Google... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
