[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Facebook URL Redirect Vulnerability
- To: Andrew Farmer <andfarm@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Facebook URL Redirect Vulnerability
- From: Chris Evans <scarybeasts@xxxxxxxxx>
- Date: Tue, 1 Mar 2011 18:46:08 -0800
On Tue, Mar 1, 2011 at 5:56 PM, Andrew Farmer <andfarm@xxxxxxxxx> wrote:
> On 2011-02-28, at 09:42, Nathan Power wrote:
> > 3. Impact:
> >
> > Potentially allow an attacker to compromise a victim’s Facebook account
> > and/or computer system.
>
> Do you have an actual attack in mind which could accomplish either of these
> goals, or is this wishful thinking? (Browser exploits don't really count, as
> those would work just fine with or without the redirect.)
>
> To be clear - open redirects are certainly a problem, but don't try to call
> them any more than that.
>
Thanks for the note of sanity. Not everyone thinks they even a problem:
http://scarybeastsecurity.blogspot.com/2010/06/open-redirectors-some-sanity.html
Tip for OWASP: when listing vulnerability classes, feel free to stop at 9
rather than struggling to find a random 10th, just because 10 is a nice
number :)
Cheers
Chris
_______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/