Full Disclosure mailing list archives
Re: Facebook URL Redirect Vulnerability
From: Javier Bassi <javierbassi () gmail com>
Date: Thu, 3 Mar 2011 16:49:26 -0300
On Thu, Mar 3, 2011 at 4:04 PM, Chris Evans <scarybeasts () gmail com> wrote:
You do not need an open redirect to trick the user. Try <a href="http://www.evil.com">www.facebook.com/OMFGacatvomitingacanaryandpuppiesandshit</a>
You are all suggesting scenarios in which only a non-tech person would fall. Everybody knows that JavaScript can change the status text when mouserovering a link. This is what Google does in the search results. (Although you can disable this in Firefox in Advanced JavaScript Settings) Also with Nathan's scenario. Even if Facebook only displays 'apps.facebook.com' when posting the link, if the person clicks there it means he is already on Facebook. If he is already logged in Facebook, clicking on a link going to a login page is way too obvious. A good scenario would be via Instant Message. There is no HTML or JavaScript and when the victim clicks a link he knows he's going to that link, and there is a big chance he will not notice it is a redirect. From http://apps.facebook.com/stuff to http://apps.facebook.evil.com/stuff can do the trick. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Facebook URL Redirect Vulnerability Weir, Jason (Mar 01)
- Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)
- Re: Facebook URL Redirect Vulnerability Weir, Jason (Mar 02)
- <Possible follow-ups>
- Re: Facebook URL Redirect Vulnerability Andrew Farmer (Mar 01)
- Re: Facebook URL Redirect Vulnerability Chris Evans (Mar 01)
- Re: Facebook URL Redirect Vulnerability Wesley Kerfoot (Mar 01)
- Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)
- Re: Facebook URL Redirect Vulnerability Andrew Farmer (Mar 02)
- Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)
- Re: Facebook URL Redirect Vulnerability Chris Evans (Mar 03)
- Re: Facebook URL Redirect Vulnerability Javier Bassi (Mar 03)
- Re: Facebook URL Redirect Vulnerability Valdis . Kletnieks (Mar 03)
- Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)