[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Twitter URL spoofing still exploitable
- To: Darren Martyn <d.martyn.fulldisclosure@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Twitter URL spoofing still exploitable
- From: Pablo Ximenes <pablo@xxxxxxxx>
- Date: Tue, 27 Sep 2011 10:12:27 -0300
Actually, I'm not sure if their first patch added this new exploit I
mentioned in my blog or it it was already there unnoticed, but
twitter's last fix sure did break stuff.
They sort of fixed my URL spoofing method by disabling their URL
spoofing that made t.co's links look like the original URL posted in
the tweet. Now every link in twitter displays as http://t.co/something
!!!
Ok, now nobody can spoof a URL, but how come a user will tell good
URLs and bad ones apart? Oh boy!
I have updated my blog to include these details: http://ximen.es/?p=534
Regards,
Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes
2011/9/27 Darren Martyn <d.martyn.fulldisclosure@xxxxxxxxx>:
> So their patching method merely introduced another exploitation method?
> Reminds me of some of Oracles patches...
>
> On Tue, Sep 27, 2011 at 3:18 AM, Pablo Ximenes <pablo@xxxxxxxx> wrote:
>>
>> Some of you might consider this blog post of value: http://ximen.es/?p=534
>>
>> Thanks,
>>
>> Pablo Ximenes
>> http://ximen.es/
>> http://twitter.com/pabloximenes
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/