Full Disclosure mailing list archives
Re: Facebook URL Redirect Vulnerability
From: Andrew Farmer <andfarm () gmail com>
Date: Wed, 2 Mar 2011 11:38:07 -0800
On 2011-03-02, at 06:30, Nathan Power wrote:
There are 3 different steps to perform an attack using a URL redirect: 1) trick the user 2) redirect 3) exploit .. We are using a Facebook URL to trick the user, we are using the URL redirect as the catalyst to perform an exploit. Here are some examples of the types of attacks you can perform with a URL redirect, CSRF, phishing (fake fb login), and browser exploits (javascript zombie,0days,etc). How would you have written the impact section?
Something like this:
3. Impact: An attacker may obfuscate the target of a link, potentiating phishing attacks and/or bypassing some simple URL filters.
Or something of the sort. The actual target of the link isn't obscured in the URL, so it's not even particularly convincing if the URL is displayed in plain text. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Facebook URL Redirect Vulnerability Weir, Jason (Mar 01)
- Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)
- Re: Facebook URL Redirect Vulnerability Weir, Jason (Mar 02)
- <Possible follow-ups>
- Re: Facebook URL Redirect Vulnerability Andrew Farmer (Mar 01)
- Re: Facebook URL Redirect Vulnerability Chris Evans (Mar 01)
- Re: Facebook URL Redirect Vulnerability Wesley Kerfoot (Mar 01)
- Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)
- Re: Facebook URL Redirect Vulnerability Andrew Farmer (Mar 02)
- Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)
- Re: Facebook URL Redirect Vulnerability Chris Evans (Mar 03)
- Re: Facebook URL Redirect Vulnerability Javier Bassi (Mar 03)
- Re: Facebook URL Redirect Vulnerability Valdis . Kletnieks (Mar 03)
- Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)