@taviso If a widely trusted domain can be used to redirect visitors to an untrusted site they didn't intend to visit (phishing or malware host), would you consider that a vulnerability that should be addressed?
-
-
Replying to @Nstr0x0A
Sorry, but I don't think you're going to like my answer. You might be able to convince
@sirdarckcat though, depending on context.1 reply 0 retweets 0 likes -
Replying to @taviso @sirdarckcat
One would think you'd at least filter your open redirects using your own database of known malicious sites.
1 reply 0 retweets 0 likes -
1 reply 0 retweets 0 likes
-
Replying to @sirdarckcat @taviso
Saying something isn't a vuln doesn't make it any less dangerous to users; if anything, it just makes your company look foolish and irresponsible.
1 reply 0 retweets 0 likes -
please read the link I sent, it explains what we think of open redirects, and in which cases we will even pay for them (and in which cases we wont).
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @taviso
I read the linked page. If bypassing a whitelist is a serious flaw, shouldn't not having a whitelist at all be considered a more serious flaw? If a referer check bypass is a serious flaw, isn't it worse to accept all referer strings? I don't want money, I just want this fixed.
2 replies 0 retweets 0 likes -
Usually URL whitelists are there to protect some security-sensitive functionality. If there is no whitelist protecting such functionality, or the whitelist can be bypassed with a redirect, then that would be a serious flaw.
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @taviso
I really wish we lived in a world where Google could be held responsible for their knowing participation in phishing campaigns against thousands if not millions of victims. Keep making the internet a worse place for everyone. What goes around comes around.
1 reply 0 retweets 0 likes
Do you really think the problem is that Eduardo and I don't care about users? We've both spent our adult lives making software safer. We have studied this for *years*, and understand the arguments. Instead of assuming bad faith, why not ask our perspective? Unbelievable. 
-
-
, maybe he is just having a bad day..1 reply 0 retweets 2 likes -
Replying to @sirdarckcat @taviso
I was having a very bad day, and it was fully attributable to your employer... but I'm prepared to swallow my pride and listen. What is your perspective?
1 reply 0 retweets 0 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.