WebApp Sec mailing list archives
Re: XSS?
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Tue, 15 Nov 2005 07:07:58 -0800 (PST)
We've been getting the same fake messages (phishing e-mails) over the past 3-4 months and ,(for this) unfortunately, people trust "www.google.xyz" domain name... I'm not really sure who to blame but the interesting issue is: what google can do about it? Validating is good, however, with the "I'm feeling lucky" service validation doesn't really scale well. I haven't really thought about any sophisticated answers, but it seems any other solution would be a moderate performance hit for google. (don't get me wrong, tough, I'm not saying performance has higher priority here) --- Aman Raheja <araheja () techquotes com> wrote:
This is not XSS but indeed a vulnerability since they are not validating the URL and it's irresponsible of google not to take care of this kind of vulnerability which would aid phishing. Aman Raheja http://www.techquotes.com On Tue, 15 Nov 2005 11:52:19 +0800, Andrew Chan <quickt () gmail com> wrote :I triedhttp://www.google.com/url?q=http://www.microsoft.com and it gotdirected. it seems that I received one suchphishing email that makesuse of this to obfuscate the actual URL lately.
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com