Skip to main content

Skype And Dropbox Fix Redirect Security Hole Courtesy of Nir Goldshlager

posted onApril 4, 2013
by l33tdawg

Nir Goldshlager just saved your identity. One of the world’s top white hat security researchers, Goldshlager this week helped Skype and Dropbox fix a critical security flaw that could have let hackers take control of their users’ Facebook accounts. Tomorrow Goldshlager will detail how he found the exploit, but he gave TechCrunch the early heads up. Here’s how hackers exploit the hole.

First the good news. Since it was reported responsibly, it appears that no one fell victim to this flaw, known as an “open redirect vulnerability.” The issue essentially occurs when a website doesn’t validate the URL where it sends a user and their access tokens. Normally sites verify that the URLs they send you to are either owned by them or one of their trusted partners. But if they don’t, a hacker who knows someone’s user ID and that they’ve granted permissions to a vulnerable site could visit http://www.MySiteIsVulnerable.com?UserID55555redirect=www.MaliciousSite… and steal that person’s access tokens, allowing them to take actions as if they were the hacked user. Naughty identity thieves.

Source

Tags

Security Facebook Dropbox Skype

Recent News

Tuesday, November 14th

Sunday, November 12th

Friday, November 10th

Wednesday, November 8th

Monday, November 6th