Full Disclosure mailing list archives
Re: Twitter URL spoofing still exploitable
From: Pablo Ximenes <pablo () ximen es>
Date: Tue, 27 Sep 2011 10:12:27 -0300
Actually, I'm not sure if their first patch added this new exploit I mentioned in my blog or it it was already there unnoticed, but twitter's last fix sure did break stuff. They sort of fixed my URL spoofing method by disabling their URL spoofing that made t.co's links look like the original URL posted in the tweet. Now every link in twitter displays as http://t.co/something !!! Ok, now nobody can spoof a URL, but how come a user will tell good URLs and bad ones apart? Oh boy! I have updated my blog to include these details: http://ximen.es/?p=534 Regards, Pablo Ximenes http://ximen.es/ http://twitter.com/pabloximenes 2011/9/27 Darren Martyn <d.martyn.fulldisclosure () gmail com>:
So their patching method merely introduced another exploitation method? Reminds me of some of Oracles patches... On Tue, Sep 27, 2011 at 3:18 AM, Pablo Ximenes <pablo () ximen es> wrote:Some of you might consider this blog post of value: http://ximen.es/?p=534 Thanks, Pablo Ximenes http://ximen.es/ http://twitter.com/pabloximenes _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Twitter URL spoofing still exploitable Pablo Ximenes (Sep 26)
- Re: Twitter URL spoofing still exploitable Darren Martyn (Sep 27)
- Re: Twitter URL spoofing still exploitable Pablo Ximenes (Sep 27)
- Re: Twitter URL spoofing still exploitable Dan Kaminsky (Sep 27)
- Re: Twitter URL spoofing still exploitable Mario Vilas (Sep 27)
- Re: Twitter URL spoofing still exploitable dave bl (Sep 27)
- Re: Twitter URL spoofing still exploitable Benji (Sep 27)
- Re: Twitter URL spoofing still exploitable Pablo Ximenes (Sep 27)
- Re: Twitter URL spoofing still exploitable Pablo Ximenes (Sep 27)
- Re: Twitter URL spoofing still exploitable Darren Martyn (Sep 27)