Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Facebook URL Redirect Vulnerability
From: Javier Bassi <javierbassi () gmail com>
Date: Thu, 3 Mar 2011 16:49:26 -0300

On Thu, Mar 3, 2011 at 4:04 PM, Chris Evans <scarybeasts () gmail com> wrote:
You do not need an open redirect to trick the user. Try <a

You are all suggesting scenarios in which only a non-tech person would
fall. Everybody knows that JavaScript can change the status text when
mouserovering a link. This is what Google does in the search results.
(Although you can disable this in Firefox in Advanced JavaScript

Also with Nathan's scenario. Even if Facebook only displays
'apps.facebook.com' when posting the link, if the person clicks there
it means he is already on Facebook. If he is already logged in
Facebook, clicking on a link going to a login page is way too obvious.

A good scenario would be via Instant Message. There is no HTML or
JavaScript and when the victim clicks a link he knows he's going to
that link, and there is a big chance he will not notice it is a
redirect.  From http://apps.facebook.com/stuff to
http://apps.facebook.evil.com/stuff  can do the trick.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]