|
Full Disclosure
mailing list archives
Re: Google open redirect
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 9 Dec 2011 12:54:29 -0800
They may be in the minority, but there *are* users out there who know how to
look at the address bar. The security researcher knows this because he is
one of them. I call this group the "competent and contentious users".
Sure. And that group is sort of safe when faced with open redirectors,
mouseover tooltips, etc - well, modulo funny corner cases like this:
http://lcamtuf.coredump.cx/switch/
...or:
http://lcamtuf.coredump.cx/switch/index2.html
I have seen the "most users don't understand X anyway" as an argument
against fixing X in the browser several times before, and I think
that's wrong; but I'm not sure this is applicable here.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
(Thread continues...)
| 
