Full Disclosure: Re: Facebook URL Redirect Vulnerability

[Javier Bassi <javierbassi () gmail com>]

On Thu, Mar 3, 2011 at 4:04 PM, Chris Evans <scarybeasts () gmail com> wrote:
> You do not need an open redirect to trick the user. Try <a
> href="http://www.evil.com";>www.facebook.com/OMFGacatvomitingacanaryandpuppiesandshit</a>
You are all suggesting scenarios in which only a non-tech person would
fall. Everybody knows that JavaScript can change the status text when
mouserovering a link. This is what Google does in the search results.
(Although you can disable this in Firefox in Advanced JavaScript
Settings)

Also with Nathan's scenario. Even if Facebook only displays
'apps.facebook.com' when posting the link, if the person clicks there
it means he is already on Facebook. If he is already logged in
Facebook, clicking on a link going to a login page is way too obvious.

A good scenario would be via Instant Message. There is no HTML or
JavaScript and when the victim clicks a link he knows he's going to
that link, and there is a big chance he will not notice it is a
redirect.  From http://apps.facebook.com/stuff to
http://apps.facebook.evil.com/stuff  can do the trick.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/