mailing list archives
Re: Facebook URL Redirect Vulnerability
From: Javier Bassi <javierbassi () gmail com>
Date: Thu, 3 Mar 2011 16:49:26 -0300
On Thu, Mar 3, 2011 at 4:04 PM, Chris Evans <scarybeasts () gmail com> wrote:
You do not need an open redirect to trick the user. Try <a
You are all suggesting scenarios in which only a non-tech person would
mouserovering a link. This is what Google does in the search results.
Also with Nathan's scenario. Even if Facebook only displays
'apps.facebook.com' when posting the link, if the person clicks there
it means he is already on Facebook. If he is already logged in
Facebook, clicking on a link going to a login page is way too obvious.
A good scenario would be via Instant Message. There is no HTML or
that link, and there is a big chance he will not notice it is a
redirect. From http://apps.facebook.com/stuff to
http://apps.facebook.evil.com/stuff can do the trick.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/