Cenzic 232 Patent
Paid Advertising
web application security lab

Open Redirectors Haunt Google Again, in Firefox

There’s two really interesting threads, one on pdp’s site and one on Bedford’s site about the use of Firefox’s jar: directive to inject bad content into other people’s site (if they have redirectors in them). Pretty nasty stuff. Turning off all non HTTP directives in Firefox is probably a good idea at this point, given the sheer number of holes that have been identified there.

But this is just another in a list of reasons why Google really does need to shut down these redirectors. Normally it just involves people losing their identities or abusing the trust relationship people have with the Google.com domain. This one can actually steal your information from Google. I’ve been pushing on them for three years now to fix them, and they still haven’t. Granted, this jar: post is really a browser issue and not a redirector issue on Google specifically, but why risk people’s safety when they only purpose for those redirectors is to track their users? I for one vote to shut the redirectors down. Anyway, very interesting articles by pdp and Bedford!

6 Responses to “Open Redirectors Haunt Google Again, in Firefox”

  1. sirdarckcat Says:

    Version 1.1.8 of NoScript detects and stops attacks based on redirection for bypassing the SOP in the JAR URI.
    http://noscript.net/?ver=1.1.8

    Greetz!!

  2. RSnake Says:

    Interesting, thanks, sirdarckcat!

  3. kuza55 Says:

    On a somewhat related note, do you think the ping attribute on anchor tags is a worthwhile piece of functionality to explore?

    Personally I think its a good idea, since especially for non-open redirects it lets the user find out where they’re going without needing to inform the site they plan to, and ping support can be disabled…..

  4. RSnake Says:

    @kuza55 - I’ve always thought ping was a good idea compared to open redirectors, because as you say, it can be disabled. Also, another way around that is to have an onclick event handler on every link tag, which can also be disabled by JS. Ultimately, the use of redirectors as a way to track users really needs to go the way of the dinosaurs.

  5. John Nagle Says:

    There are 164 major sites where URLs lead to phishing scams. Here’s the list:

    http://www.sitetruth.com/reports/phishes.html

    This list is updated automatically every three hours, using data from PhishTank and DMOZ. If you’re involved with any of those sites, please clean up your act. If you’re a customer of one of those sites, nag them. Thank you.

  6. Mike Says:

    I have a redirector on my website, but I protect it with a secret key so an authentication token needs to be sent along with the URL. See here for more details:

    https://secure.grepular.com/Secure_URL_Redirects_using_Apache_ModRewrite_and_ModSecurity