mailing list archives
Re: Google open redirect
From: Charles Morris <cmorris () cs odu edu>
Date: Thu, 8 Dec 2011 09:53:52 -0500
IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living like that.. although it
might? be okay for students.
How many Google vulnerabilities per month are there expected to be?
Granted there are other avenues to pursue for a fledgling researcher,
What is the cost to Google's business if an open redirect causes their
image to be tarnished
by some arbitrary amount in the eyes of some percentage of consumers?
Considering Google grossed 30 billion dollars in 2010, (ridiculous) I
would expect that the numbers
we are talking about perhaps are so massive that 500$ is nothing in comparison.
We live in an age that pays 5k, or 30k, or 100k for a root level compromise,
in a common package with a reliable and solid exploit. At least that's
what I hear.
Even if everyone else's opinion says "500$ is too much for a redirect",
doesn't Google want to promote the industry by sharing a little of the
wealth to people with good intentions and ability?
It's time to raise the bar a little here, and I'm not just talking about bounty.
Why would Google ever suffer from these issues to begin with?
Can't Google, in it's infinite wisdom and 30 billion dollars, come up with
a better solution for whatever random problem they are trying to solve
with an open redirect?
n.b. I have never sold a vulnerability, even when non-pittance sums are offered
On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski <lcamtuf () coredump cx> wrote:
_Open_ URL redirectors are trivially prevented by any vaguely sentient
web developer as URL redirectors have NO legitimate use from outside
one's own site so should ALWAYS be implemented with Referer checking
There are decent solutions to lock down some classes of open
redirectors (and replace others with direct linking), but "Referer"
checking isn't one of them. It has several subtle problems that render
it largely useless in real-world apps.
We have a vulnerability reward program, and it's just about not paying
$500 for reports of that vulnerability - along with not paying for
many other minimal-risk problems such as path disclosure.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/