Re: [Full-disclosure] Facebook URL redirection issue



On Sun, Apr 3, 2011 at 4:26 PM, Javier Bassi <javierbassi@xxxxxxxxx> wrote:

Reported this issue to Facebook team on 03/22/11 and Facebook team
acknowledged this issue on 03/29/11 and fixed this vulnerability.

They still have redirects on apps made by their users, and they don't care
http://apps.facebook.com/truthsaboutu/track.php?r=http://www.google.com
and if someone falls in basic phishing with facebook domain, he will
fall with apps.facebook subdomain too.

Btw, linkedin has open redirect too and they couldn't care less about it
http://www.linkedin.com/redirect?url=www.google.com


Probably because it's not a big deal?

What next, an advisory about how massive quantities of "open redirectors"
have been found on bit.ly, goo.gl and tinyurl.com ?


Cheers
Chris



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Ebay XSS
    ... pretty hot this one you should also warn it redirects to a SCAMMER's ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS
    ... redirects to http://211.22.14.50/.yahoomail/x.htm and spoofs a Yahoo ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Facebook URL redirection issue
    ... If it's social and it's Facebook, ... They still have redirects on apps made by their users, and they don't care ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Facebook URL redirection issue
    ... They still have redirects on apps made by their users, and they don't care ... and if someone falls in basic phishing with facebook domain, ...
    (Full-Disclosure)
  • [Full-disclosure] Yahoo cookie stealer
    ... Redirects to: ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)