It's breathtaking to me that Google Security allowed this to happen. You can see the risk instantly.
-
-
-
Was Google Security given a "stand down order"?
#AMPGHAZI -
Sorry, you appear to be using an outdated scandal moniker. All scandals end in "-alago" now. This is
#AMPALAGO - 1 more reply
New conversation -
-
-
Our general policy is here. https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect … The issue mentioned in the article was fixed last year.
-
Fixed how?
-
several measures. But the result is this https://www.google.com/amp/lets.phish.wycats …
-
The fact that it's http://google.com will always allow someone to put official looking instructions and trick people.
-
The only solution is not to use Google URLs (an alt cache URL would help but user still get used to it and it obscures fishy stuff)
-
The real solution is to get rid of the the URL prefix, of course. We already did in our native apps. Hoping for web sometime this year.
-
I'm excited to hear that's coming. Can you share the techniques that are making it possible on the web? New standards? Browser features?
-
Still figuring it out and will share once it is far enough along. But likely the latter 2, indeed.
End of conversation
New conversation -
-
-
Now thats what I call using the platform
-
Now that's what I call using the platform.pic.twitter.com/laz8BgO4yu
End of conversation
New conversation -
-
-
Will browsers one day have an implicit warranty of usability (a cornerstone of US product liability) that includes security protection?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Google has been wishy washy on open redirectors for a while now, I think Gruber is seeing conspiracy where there is none
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.