Re: [Full-disclosure] Twitter URL spoofing still exploitable
Aparently twitter is back to normal, t.co isn't showing in place of every URL anymore. This was indeed temporary while they were fixing things as mentioned. Att, Pablo Ximenes http://ximen.es/ http://twitter.com/pabloximenes 2011/9/27 Benji : > If you hover over the t.co links the alt= tag holds the real url. > > On Tue, Sep 27, 2011 at 4:11 PM, dave bl wrote: >> >> On 28 September 2011 01:00, Mario Vilas wrote: >> > On Tue, Sep 27, 2011 at 3:26 PM, Dan Kaminsky wrote: >> >>> >> >>> Ok, now nobody can spoof a URL, but how come a user will tell good >> >>> URLs and bad ones apart? Oh boy! >> >>> >> >> >> >> Wherever did you get the idea that users can do this? >> > >> > Jokes apart, I do find it annoying that URLs aren't expanded >> > automatically >> > anymore. But I don't expect this situation to be permanent. >> >> Agreed. >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Twitter URL spoofing still exploitable
If you hover over the t.co links the alt= tag holds the real url. On Tue, Sep 27, 2011 at 4:11 PM, dave bl wrote: > On 28 September 2011 01:00, Mario Vilas wrote: > > On Tue, Sep 27, 2011 at 3:26 PM, Dan Kaminsky wrote: > >>> > >>> Ok, now nobody can spoof a URL, but how come a user will tell good > >>> URLs and bad ones apart? Oh boy! > >>> > >> > >> Wherever did you get the idea that users can do this? > > > > Jokes apart, I do find it annoying that URLs aren't expanded > automatically > > anymore. But I don't expect this situation to be permanent. > > Agreed. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Twitter URL spoofing still exploitable
On 28 September 2011 01:00, Mario Vilas wrote: > On Tue, Sep 27, 2011 at 3:26 PM, Dan Kaminsky wrote: >>> >>> Ok, now nobody can spoof a URL, but how come a user will tell good >>> URLs and bad ones apart? Oh boy! >>> >> >> Wherever did you get the idea that users can do this? > > Jokes apart, I do find it annoying that URLs aren't expanded automatically > anymore. But I don't expect this situation to be permanent. Agreed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Twitter URL spoofing still exploitable
On Tue, Sep 27, 2011 at 3:26 PM, Dan Kaminsky wrote: > Ok, now nobody can spoof a URL, but how come a user will tell good >> URLs and bad ones apart? Oh boy! >> >> > Wherever did you get the idea that users can do this? > Jokes apart, I do find it annoying that URLs aren't expanded automatically anymore. But I don't expect this situation to be permanent. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Twitter URL spoofing still exploitable
> > Ok, now nobody can spoof a URL, but how come a user will tell good > URLs and bad ones apart? Oh boy! > > Wherever did you get the idea that users can do this? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Twitter URL spoofing still exploitable
So their patching method merely introduced another exploitation method? Reminds me of some of Oracles patches... On Tue, Sep 27, 2011 at 3:18 AM, Pablo Ximenes wrote: > Some of you might consider this blog post of value: http://ximen.es/?p=534 > > Thanks, > > Pablo Ximenes > http://ximen.es/ > http://twitter.com/pabloximenes > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Twitter URL spoofing still exploitable
Some of you might consider this blog post of value: http://ximen.es/?p=534 Thanks, Pablo Ximenes http://ximen.es/ http://twitter.com/pabloximenes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
