|
Full Disclosure
mailing list archives
Re: Facebook URL Redirect Vulnerability
From: Andrew Farmer <andfarm () gmail com>
Date: Wed, 2 Mar 2011 11:38:07 -0800
On 2011-03-02, at 06:30, Nathan Power wrote:
There are 3 different steps to perform an attack using a URL redirect: 1)
trick the user 2) redirect 3) exploit .. We are using a Facebook URL to
trick the user, we are using the URL redirect as the catalyst to perform an
exploit.
Here are some examples of the types of attacks you can perform with a URL
redirect, CSRF, phishing (fake fb login), and browser exploits (javascript
zombie,0days,etc).
How would you have written the impact section?
Something like this:
3. Impact:
An attacker may obfuscate the target of a link, potentiating phishing attacks and/or bypassing some simple URL
filters.
Or something of the sort. The actual target of the link isn't obscured in the URL, so it's not even particularly
convincing if the URL is displayed in plain text.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
