On Thu, Mar 3, 2011 at 4:04 PM, Chris Evans <scarybea...@gmail.com> wrote: > You do not need an open redirect to trick the user. Try <a > href="http://www.evil.com">www.facebook.com/OMFGacatvomitingacanaryandpuppiesandshit</a>
You are all suggesting scenarios in which only a non-tech person would fall. Everybody knows that JavaScript can change the status text when mouserovering a link. This is what Google does in the search results. (Although you can disable this in Firefox in Advanced JavaScript Settings) Also with Nathan's scenario. Even if Facebook only displays 'apps.facebook.com' when posting the link, if the person clicks there it means he is already on Facebook. If he is already logged in Facebook, clicking on a link going to a login page is way too obvious. A good scenario would be via Instant Message. There is no HTML or JavaScript and when the victim clicks a link he knows he's going to that link, and there is a big chance he will not notice it is a redirect. From http://apps.facebook.com/stuff to http://apps.facebook.evil.com/stuff can do the trick. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/