[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Facebook URL redirection issue

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Facebook URL redirection issue
From: kiran Maraju <kiran_maraju@xxxxxxxxx>
Date: Sun, 3 Apr 2011 12:54:29 +0530 (IST)

Hi all,



URL redirection vulnerability observed in Facebook. Facebook
application has not sanitized the “redirect” input parameter. if you provide
"redirect" parameter to any third party site then the web page is
redirecting to the third party site. This would aid phishing attacks by using 
an attacker's dummy site (providing
redirect value to the dummy site).


URL: http://www.facebook.com/ajax/set_as_homepage.php?uid=<<any 
value>>&assoc=SetAsHomepageAssocInterstitial&action=cancel&redirect=<<Any web 
Site URL>> 



Reported this issue to Facebook team on 03/22/11 and Facebook
team acknowledged this issue on 03/29/11 and fixed this vulnerability.


Status: Reported this issue to the vendor and vendor fixed this issue.

Best Regards,
Kiran Maraju

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Facebook URL redirection issue
  - From: Javier Bassi

Prev by Date: [Full-disclosure] Cisco ACS 1121 Appliance BMC default credentials
Next by Date: Re: [Full-disclosure] Facebook URL redirection issue
Previous by thread: [Full-disclosure] Cisco ACS 1121 Appliance BMC default credentials
Next by thread: Re: [Full-disclosure] Facebook URL redirection issue
Index(es):
- Date
- Thread