I am hoping at least one of you is a "domain expert" on migranes ... else this app is just gonna be using "trending" logic which might not really work.

All the best to everyone! and specially to my best friend infosec_hacker!

I absolutely agree with the talk! Google is the new Microsoft :) and Facebook is the new Google and will also become the next Microsoft very soon.

What Google is doing is actually monitoring every aspect of our online life! Really worrisome!

And Facebook isn't? How about big hungry corps come in different sizes and shapes but are still big hungry corps.

All the videos posted on that page are his from what I know. I have gone through them all. Which one of the videos on that page are yours? Can you post a link from the page linked here.

Also, if you wanna run a shameless plug for your own website, that's ok with me :) but don't no it by slandering someone else :)

Exactly! Imagine if your bank had such a redirect URL available, Phishing would be so simple.

Some banks display a customer preselected image after the user name & before entering a password. This seems to be a good solution to phishing if one keeps the username private. Otherwise a site could give you the option of using two part passwords.

... and a study a while back showed that, if you simply don't show that image, a large majority of users don't notice. For this reason, the whole "sitekey" phenomenon strikes me as a waste of time.

This? http://usablesecurity.org/emperor/ - it is an interesting read.

It should also be noted that it's not even a 25% benefit for them, but it does help security, even if slightly. I think lowering phishing 1% could be massive for any major bank.

Isn't this incredibly simple to defeat? The phishing site can send your username to the real bank's website and retrieve the image.

If you do that, the bank will notice a bunch of connections from the same IP for different usernames.

You could use a botnet to do the lookups, but that still makes the attack substantially more difficult.

correct! Basic idea is to show how easy it is to use this simple redirect against users of social media sites. Most people on HN would have seen this link and trusted it to be from YouTube.

Furthermore, I can see browsers detecting this type of behavior and prompting the user about it.

If a browser sees an encoded URL in the query string, and then gets a location header to go to that URL, and that URL is not on the same domain, it would prompt the user that you are leaving that domain.

I can't see many sites that are legitimate, and use redirection techniques that meet all of my criteria.

http://voice.google.com/ redirects to http://google.com/voice. Technically different domains, but I would be really annoyed if I had to confirm this every time. I suppose you could add a white list, but now we are just annoying people when they first start using a particular install of a browser.

No, I'm talking about seeing something like:

http://voice.google.com/?r=google.com/voice, where the resulting URL is inside the query_string

So then we start obfuscating the URL parameters? Or what if google.com/voice is just one step in a series of redirects? What if some "clever" dude decides to protect against this and say base64 encode the r argument to "protect" his app?

This is why redirect links should limit themselves to relative URLs, or limit it to a whitelisted set of domains.

(Can anyone think of downsides to limiting yourself to relative URLs or a whitelist of domains?)

It is very interesting that Youtube has this vulnerability. Almost every time I implement something like this, I double check the domain name. (This is really easy in PHP)

The redirect I found on https://www.google.com seems like it did have a whitelist. Luckily youtube.com was on the whitelist, so I could re-use the exploit from there. So even whitelists aren't totally safe (and YouTube isn't using the redirect for known friendly sites - seems to be more for tracking purposes).

http://news.ycombinator.com/item?id=1259844 for the google.com URL

Can you suggest something better?

It may suffice to point out in the comments that it redirects to http://securitytube.net/Social-Engineering-Attacks-using-Sim... . (As of this posting nobody else has posted this yet.)

Also, despite having "video" in the URL, the text says all you need to know. I don't think very many people around here will have a hard time figuring out how this happened. I don't need a video.

Say where it is sending you, not just where it's not sending you.

Very cool presentation and demo! I was at the conference and the audience was in awe!

great watch. Gets my thumbs up!

they seem to have a mix of originals and embeds from other sites ... nevertheless there is some aggregation value ..

Security through obscurity is obviously crap, but I suspect some of that "aggregation value" == more script kiddies hammering my servers.

Better a few hunger stricken souls than install IE 8

really? you'd rather that someone goes hungry than you having to download ie8?

Really? You took his comment literally? That's almost as unbelievable as the original claim. ;-)

ha ha ;-) Can't believe someone feel for it :)

Better than IE 6 right?

I'm crossing my fingers that Oct 22 will have a great release of windows 7 so that workplaces can finally upgrade. If they have another horrible release, then it's another 2 years of IE6 pain for us web developers!