lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 27 Sep 2011 10:12:27 -0300
From: Pablo Ximenes <pablo@...en.es>
To: Darren Martyn <d.martyn.fulldisclosure@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Twitter URL spoofing still exploitable

Actually, I'm not sure if their first patch added this new exploit I
mentioned in my blog or it it was already there unnoticed,  but
twitter's last fix sure did break stuff.

They sort of fixed my URL spoofing method by disabling their URL
spoofing that made t.co's links look like the original URL posted in
the tweet. Now every link in twitter displays as http://t.co/something
!!!

Ok, now nobody can spoof a URL, but how come a user will tell good
URLs and bad ones apart? Oh boy!

I have updated my blog to include these details: http://ximen.es/?p=534

Regards,

Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes




2011/9/27 Darren Martyn <d.martyn.fulldisclosure@...il.com>:
> So their patching method merely introduced another exploitation method?
> Reminds me of some of Oracles patches...
>
> On Tue, Sep 27, 2011 at 3:18 AM, Pablo Ximenes <pablo@...en.es> wrote:
>>
>> Some of you might consider this blog post of value: http://ximen.es/?p=534
>>
>> Thanks,
>>
>> Pablo Ximenes
>> http://ximen.es/
>> http://twitter.com/pabloximenes
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ