RE: XSS?

["Matt Fisher" <mfisher () spidynamics com>]

[ Bit late, way behind on mail  ] 

The standard thing I've seen done, particularly on .gov's is to have a
"redirection message" that says "You are now being redirected to .....
Please note that this site is not affiliated with xyz.  You will be
redirected in 3 seconds". 

Seems that would fix the issue of people confusing the final site as
being google.  I don't consider this a vuln either, and not even much of
a phishing 'enabler'.  Google doesn't frame the site, they 302 to it.
You can only hold hands for so long ... at some point people have to
realize the url has completely changed and they're not on google



 

> -----Original Message-----
> From: Serg Belokamen [mailto:serg.belokamen () gmail com] 
> Sent: Wednesday, November 16, 2005 10:32 PM
> To: Aman Raheja
> Cc: webappsec () securityfocus com
> Subject: Re: XSS?
>
> URL will change which would make it obvious.
>
> Then again some will buy into it so yeah...
>
> I am kind of on a fence with this one. You did sway my 
> opinion though; hence on the fence. I used to be on the other side :)
>
> Don't think Google can do much about though and keep same 
> functionality.
>
>    Serg
>
>
> On 17/11/05, Aman Raheja <araheja () techquotes com> wrote:
> > Why would it not be a problem if someone sends an email 
> with the link 
> > http://www.google.com/url?q=http://www.xyz.com and prompt 
> user to sign 
> > up for some new google service or even sign in to personalize the 
> > google homepage?
> > The user will get redirected to the xyz site which would 
> show google 
> > logo and same look and feel and collect the user 
> information - which 
> > could potentially be misused. They are probably not going away the 
> > credit card or bank information but it is phishing and 
> collecting user 
> > information by misleading.
> > AR
> >
> > Serg B. wrote:
> >
> > > I really dont see a problem here?
> > >
> > > Vulnerability? What are you on about? Simple, expected 
> redirect (key
> > > word: expected).
> > >
> > > Here is a more in context example.
> > >
> > > Lets say you have some sort of managment system (lets say a CRM of 
> > > some
> > > sort) and you search for user with name 'A'. Returned result set 
> > > contains 20 matches. You are presented with a list and you choose 
> > > which one you want to look at in details. However if result set 
> > > returned is a single, exact match then there is absolutely 
> no point 
> > > showing a list of matches since we already know that there 
> is only a 
> > > single match. Hence, go directly to data, saving time and effort.
> > >
> > >   Serg
> > >
> > > On Tue, 2005-11-15 at 13:51 +0000, Aman Raheja wrote:
> > >
> > >
> > > > This is not XSS but indeed a vulnerability since they are not 
> > > > validating the URL and it's irresponsible of google not 
> to take care 
> > > > of this kind of vulnerability which would aid phishing.
> > > >
> > > > Aman Raheja
> > > > http://www.techquotes.com
> > > >
> > > > On Tue, 15 Nov 2005 11:52:19 +0800, Andrew Chan 
> <quickt () gmail com> wrote :
> > > > > I tried 
> http://www.google.com/url?q=http://www.microsoft.com and it 
> > > > > got directed. it seems that I received one such phishing 
> email that 
> > > > > makes use of this to obfuscate the actual URL lately.