| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Mar 2011 16:49:26 -0300 From: Javier Bassi <javierbassi@...il.com> To: Chris Evans <scarybeasts@...il.com> Cc: Nathan Power <np@...uritypentest.com>, Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Facebook URL Redirect Vulnerability On Thu, Mar 3, 2011 at 4:04 PM, Chris Evans <scarybeasts@...il.com> wrote: > You do not need an open redirect to trick the user. Try <a > href="http://www.evil.com">www.facebook.com/OMFGacatvomitingacanaryandpuppiesandshit</a> You are all suggesting scenarios in which only a non-tech person would fall. Everybody knows that JavaScript can change the status text when mouserovering a link. This is what Google does in the search results. (Although you can disable this in Firefox in Advanced JavaScript Settings) Also with Nathan's scenario. Even if Facebook only displays 'apps.facebook.com' when posting the link, if the person clicks there it means he is already on Facebook. If he is already logged in Facebook, clicking on a link going to a login page is way too obvious. A good scenario would be via Instant Message. There is no HTML or JavaScript and when the victim clicks a link he knows he's going to that link, and there is a big chance he will not notice it is a redirect. From http://apps.facebook.com/stuff to http://apps.facebook.evil.com/stuff can do the trick. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists