WebApp Sec: Re: XSS?

[Aman Raheja <araheja () techquotes com>]

Why would it not be a problem if someone sends an email with the link 
http://www.google.com/url?q=http://www.xyz.com and prompt user to sign 
up for some new google service or even sign in to personalize the google 
homepage?
The user will get redirected to the xyz site which would show google 
logo and same look and feel and collect the user information - which 
could potentially be misused. They are probably not going away the 
credit card or bank information but it is phishing and collecting user 
information by misleading.
AR

Serg B. wrote:

> I really dont see a problem here? 
>
> Vulnerability? What are you on about? Simple, expected redirect (key
> word: expected). 
>
> Here is a more in context example.
>
> Lets say you have some sort of managment system (lets say a CRM of some
> sort) and you search for user with name 'A'. Returned result set
> contains 20 matches. You are presented with a list and you choose which
> one you want to look at in details. However if result set returned is a
> single, exact match then there is absolutely no point showing a list of
> matches since we already know that there is only a single match. Hence,
> go directly to data, saving time and effort.
>
>   Serg
>
> On Tue, 2005-11-15 at 13:51 +0000, Aman Raheja wrote:
>  
>
> > This is not XSS but indeed a vulnerability since they are not validating 
> > the URL and it's irresponsible of google not to take care of this kind of 
> > vulnerability which would aid phishing.
> > Aman Raheja
> > http://www.techquotes.com
> >
> > On Tue, 15 Nov 2005 11:52:19 +0800, Andrew Chan <quickt () gmail com> wrote :
> >
> >    
> >
> > > I tried http://www.google.com/url?q=http://www.microsoft.com and it got
> > > directed. it seems that I received one such phishing email that makes
> > > use of this to obfuscate the actual URL lately.