Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Facebook URL Redirect Vulnerability

From: Andrew Farmer <andfarm () gmail com>
Date: Wed, 2 Mar 2011 11:38:07 -0800
On 2011-03-02, at 06:30, Nathan Power wrote:

There are 3 different steps to perform an attack using a URL redirect:  1)
trick the user 2) redirect 3) exploit .. We are using a Facebook URL to
trick the user, we are using the URL redirect as the catalyst to perform an
exploit.

Here are some examples of the types of attacks you can perform with a URL
redirect, CSRF, phishing (fake fb login), and browser exploits (javascript
zombie,0days,etc).

How would you have written the impact section?


Something like this:


3. Impact:

An attacker may obfuscate the target of a link, potentiating phishing attacks and/or bypassing some simple URL 
filters.


Or something of the sort. The actual target of the link isn't obscured in the URL, so it's not even particularly 
convincing if the URL is displayed in plain text.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: