Full Disclosure mailing list archives
Fwd: Facebook Restricted Open redirection issue as attacker must be friend of victim
From: vinesh redkar <vineshredkar89 () gmail com>
Date: Thu, 11 Jul 2013 21:43:37 +0530
Hi i have submitted this issue but did accepted by facebook because of limited nature of this exploitation, As for successful attack victim must be friend for this submitted this issue on 22 May Below is the mail trail for same :'( also there is download link for demonstration of this attack ---------- Forwarded message ---------- From: vinesh redkar <vineshredkar89 () gmail com> Date: Fri, May 24, 2013 at 6:03 PM Subject: Re: Report a Possible Security Vulnerability To: Facebook Security <whitehat+5avyv5a.aeaz7x2bcvjp6 () support facebook com> Hi Team, Please find attached video for attack demostration. http://www.mediafire.com/download/mll5mhreyj448jb/facebook_attack.wmv Password to download file : vinesh I have just storten the URL Below URL only work when Vicimt is friend of Attacker (Here in case it was me Vinesh Redkar) If you want to check this issue just sent me request and then try it (It will work for you) There is no confirmation will ask before sending it the other site :) http://m.facebook.com/l.php?u=http://www.avsecurity.in?&h=MAQEydEHG&s=1 http://www.facebook.com/l.php?u=http://www.avsecurity.in?&h=MAQEydEHG&s=1 (Note: Dont Change h parameter but you can change u parameter to any website ) On Fri, May 24, 2013 at 2:44 AM, Facebook Security < whitehat+5avyv5a.aeaz7x2bcvjp6 () support facebook com> wrote:
Hi, Sorry, but this is expected behavior and not eligible under our bounty program. This endpoint contains a specialized parameter that limits its usage to a small number of computers and users, preventing it from being used as a completely open redirect. For more detailed background information, please see this note by one of the engineers on the product: http://www.facebook.com/notes/facebook-security/link-shim-protecting-the-people-who-use-facebook-from-malicious-urls/10150492832835766 Thanks! Please let us know if you have any further questions. Rory Security Facebook -----Original Message to Facebook----- From: vinesh redkar (vineshredkar89 () gmail com) To: The Facebook Team Subject: Re: Report a Possible Security Vulnerability Hey Team, Any Update on my Facebook Open Redirection Issue ? On Mon, May 20, 2013 at 6:32 PM, Facebook Security < whitehat+5avyv5a.aeaz7x2bcu () support facebook com> wrote:Hi, Thank you for your report. If you are reporting a security bug, we will respond to your report as soon as possible. Your report number is 159514675. Otherwise, please continue reading for assistance. If your account or a friend's account is sending out suspicious links, please refer to the "Take Action" section on the following page for waystoproperly report this activity: http://www.facebook.com/help/456801467677596/ To report abuse, please use the proper "Report" link that appears next to many pieces of content on the site. You may also report another user by using the "Report/Block" link that appears at the bottom of a user's profile page. If this does not resolve the issue, we suggest that youblockthe person by listing his or her name in the "Blocking People" box that appears at the bottom of the Privacy page. For solutions to technical issues, answers to common questions, and feedback from other Facebook users, please visit our Help Center here: https://www.facebook.com/help/ Thanks for contacting Facebook, The Facebook Team-----End Original Message to Facebook-----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fwd: Facebook Restricted Open redirection issue as attacker must be friend of victim vinesh redkar (Jul 11)