[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTinvLcCo3O4HKbJC19tnkR6+yVgwHQ76LP4ev4O3@mail.gmail.com>
Date: Wed, 2 Mar 2011 00:11:16 -0500
From: Wesley Kerfoot <wjak56@...il.com>
To: Andrew Farmer <andfarm@...il.com>
Cc: Nathan Power <np@...uritypentest.com>,
Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Facebook URL Redirect Vulnerability
"Sorry! We can't display this content while you're viewing Facebook over a
secure connection (https).
To use this app, you'll need to switch to a regular connection (http)."
On Tue, Mar 1, 2011 at 8:56 PM, Andrew Farmer <andfarm@...il.com> wrote:
> On 2011-02-28, at 09:42, Nathan Power wrote:
> > 3. Impact:
> >
> > Potentially allow an attacker to compromise a victim’s Facebook account
> > and/or computer system.
>
> Do you have an actual attack in mind which could accomplish either of these
> goals, or is this wishful thinking? (Browser exploits don't really count, as
> those would work just fine with or without the redirect.)
>
> To be clear - open redirects are certainly a problem, but don't try to call
> them any more than that.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists