ush.it - a beautiful place

Bad url redirections (AKA: Many thanks to our partners!)

January 30, 2007 at 1:36 am - Filed under Hacks, Language EN - 724 words, reading time ~2 minutes - Permalink - Comments

This story is mostly funsec, if you can't handle funsec stop reading :) You have just developed you brand new application, it's name is EVIL.EXE. It's a very good application but nobody will install it without good partners.. You need somebody trusted from users that is willing to distribuite it. So.. Let's go! Find out some good partners.

Open office partnership (bounced, sponsored) [Screenshot]

OpenOffice will greet users and invite them to download the package, when the user click Proceed he will get the stuff. Only the italian localization has this nice feature, i suppose we (italian people) are a step forward because this :) Anyway point your browser to http://native-lang.openoffice.org/ and let's see if there are other localized subdomains with this feature.

Alexa partnership A (bounced) [Screenshot]

Alexa will display stats about the destination site, when the user click on the site name he will be redirected to the url below.

Alexa partnership B (direct)

The url will bring the user directly to the executable, you could use this for direct linking.

A9 partnership (direct, sponsored) [Screenshot]

A9 will do mutch more, you can fully personalize the frame on the top. In the bottom one the package will load.

Google partnership (direct, sponsored)

Google will do the same as A9, very similar url, similar parameters. It could be the same appliance. I dunno and don't care.

Now it's better to stop, also because the aim of this article is not to give you the top 1000 phishing urls but to show that big web players don't care your safety and let (bed) people abuse their sities and the trust costumers have in the brand.

These are not XSS vulnerabilities, simply http, html and javascript redirections to arbitrary urls that can be abused. The web is filled with this shit but anonymous-blog-that-nobody-read.com it's different than Google, Alexa or A9 from a trust point of view.

It's time for some speculation: why this happen? These aren't strictly bugs (of course they are, they can be abused in phishing attacks) but mostly design error, at last from a security standpoint. I'll explain better: it's a resource problem, or a non-problem if you want, basically they are giving away your safety to save few buks.

Why? Because giving a page all the data it needs by POST or GET is cheaper than give just an ID, wow, you saved a SELECT! Somebody could argue: but we have a 2Tb database and a SELECT is not cheap!

Response: keys, de-normalization, sessions, and if this is not enough consider that you are making big bucks from your 2Tb database, you should care. I know you are not evil but but sometimes i think i'm wrong.

Watch the demo (swf)

Note: It was unclear if this article had to be published but after seeing these two pages (So it begins, So it begins (Redirect edition)) my full disclosure faith has been restored -_-

THP USH Wisec DigitalBullets