Skype And Dropbox Fix Redirect Security Hole Courtesy of Nir Goldshlager
Nir Goldshlager just saved your identity. One of the world’s top white hat security researchers, Goldshlager this week helped Skype and Dropbox fix a critical security flaw that could have let hackers take control of their users’ Facebook accounts. Tomorrow Goldshlager will detail how he found the exploit, but he gave TechCrunch the early heads up. Here’s how hackers exploit the hole.
First the good news. Since it was reported responsibly, it appears that no one fell victim to this flaw, known as an “open redirect vulnerability.” The issue essentially occurs when a website doesn’t validate the URL where it sends a user and their access tokens. Normally sites verify that the URLs they send you to are either owned by them or one of their trusted partners. But if they don’t, a hacker who knows someone’s user ID and that they’ve granted permissions to a vulnerable site could visit http://www.MySiteIsVulnerable.com?UserID55555redirect=www.MaliciousSite… and steal that person’s access tokens, allowing them to take actions as if they were the hacked user. Naughty identity thieves.