Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Twitter URL spoofing still exploitable

From: Pablo Ximenes <pablo () ximen es>
Date: Tue, 27 Sep 2011 10:12:27 -0300
Actually, I'm not sure if their first patch added this new exploit I
mentioned in my blog or it it was already there unnoticed,  but
twitter's last fix sure did break stuff.

They sort of fixed my URL spoofing method by disabling their URL
spoofing that made t.co's links look like the original URL posted in
the tweet. Now every link in twitter displays as http://t.co/something
!!!

Ok, now nobody can spoof a URL, but how come a user will tell good
URLs and bad ones apart? Oh boy!

I have updated my blog to include these details: http://ximen.es/?p=534

Regards,

Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes




2011/9/27 Darren Martyn <d.martyn.fulldisclosure () gmail com>:

So their patching method merely introduced another exploitation method?
Reminds me of some of Oracles patches...

On Tue, Sep 27, 2011 at 3:18 AM, Pablo Ximenes <pablo () ximen es> wrote:


Some of you might consider this blog post of value: http://ximen.es/?p=534

Thanks,

Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: