Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Facebook URL Redirect Vulnerability
From: Andrew Farmer <andfarm () gmail com>
Date: Wed, 2 Mar 2011 11:38:07 -0800

On 2011-03-02, at 06:30, Nathan Power wrote:
There are 3 different steps to perform an attack using a URL redirect:  1)
trick the user 2) redirect 3) exploit .. We are using a Facebook URL to
trick the user, we are using the URL redirect as the catalyst to perform an

Here are some examples of the types of attacks you can perform with a URL
redirect, CSRF, phishing (fake fb login), and browser exploits (javascript

How would you have written the impact section?

Something like this:

3. Impact:

An attacker may obfuscate the target of a link, potentiating phishing attacks and/or bypassing some simple URL 

Or something of the sort. The actual target of the link isn't obscured in the URL, so it's not even particularly 
convincing if the URL is displayed in plain text.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]