Full Disclosure mailing list archives
Facebook URL redirection issue
From: kiran Maraju <kiran_maraju () yahoo com>
Date: Sun, 3 Apr 2011 12:54:29 +0530 (IST)
Hi all, URL redirection vulnerability observed in Facebook. Facebook application has not sanitized the “redirect” input parameter. if you provide "redirect" parameter to any third party site then the web page is redirecting to the third party site. This would aid phishing attacks by using an attacker's dummy site (providing redirect value to the dummy site). URL: http://www.facebook.com/ajax/set_as_homepage.php?uid=<<any value>>&assoc=SetAsHomepageAssocInterstitial&action=cancel&redirect=<<Any web Site URL>> Reported this issue to Facebook team on 03/22/11 and Facebook team acknowledged this issue on 03/29/11 and fixed this vulnerability. Status: Reported this issue to the vendor and vendor fixed this issue. Best Regards, Kiran Maraju
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Facebook URL redirection issue kiran Maraju (Apr 03)
- Re: Facebook URL redirection issue Javier Bassi (Apr 03)
- Re: Facebook URL redirection issue Chris Evans (Apr 03)
- Re: Facebook URL redirection issue Christian Sciberras (Apr 03)
- Re: Facebook URL redirection issue Chris Evans (Apr 03)
- Re: Facebook URL redirection issue Javier Bassi (Apr 03)