Facebook's URL Scanner Vulnerable To Cloaking Attack 34
Facebook's recent move to scan for malicious URLs sounded like a pretty good idea, but itwbennett writes with word that it's already been bypassed.'Hatter,' a member of hacking think-tank Blackhat Academy, provided a live demonstration, which involved posting the URL to a JPEG file on a wall. Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook's original request and served a JPEG file. Earlier this week, Facebook signed a partnership with Websense to use the security vendor's cloud-based, real-time Web scanner for malicious URL detection. Blackhat Academy has now provided proof-of-concept code, which, according to its advisory, can be used to bypass it."
Re: (Score:1)
Re:First Post (Score:4, Funny)
Re: (Score:1)
Irrelevant (Score:2)
Yes, they managed to get facebook to use their image for a thumbnail. That says absolutely nothing about their ability to detect malicious links. (Rickrolling is not considerered a malicious link in this context.) The request for the thumbnail probably originated from facebook's own servers. The malicious link detection is comes from other IP addresses. TFA explains this.
Re: (Score:2)
Well I hope TFA explains it better than TFS.
This happened because the destination page was able to identify Facebook's original request and served a JPEG file.
Lets see, click a thumbnail, got to the third party server, which does whatever the hell it wants to with your request.
Welcome to the intertubes.
Re:Irrelevant - You can use META TAGS! (Score:3)
Well I hope TFA explains it better than TFS.
This happened because the destination page was able to identify Facebook's original request and served a JPEG file.
Lets see, click a thumbnail, got to the third party server, which does whatever the hell it wants to with your request. Welcome to the intertubes.
I also fail to see why this is a problem.
You can set the thumbnail with the "link rel='image_src'" tags!
Along with the title and description...
No need for any server side code; its all documented on OpenGraph [facebook.com].
Raising money for security research company (Score:2, Funny)
Guys, I've discovered that if you do
if ($certainUserAgent) {
print 'Something;
} else {
print 'Something else';
}
I'm going to start a security company, is anybody interested in hiring researchers for their operations. Corporate contracts start at $100,000.
OMG! (Score:3)
You mean URL's can be verified, and then later have the indecency to point to something else?
Say it isn't so!
Re: (Score:2)
What, wait a minute. You mean a HTTP server can parse the request and serve up different content based on who or what is calling?
*whistle*
Oh the implications!
Never mind Crapbook. Damn, you know, that gives me an AWESOME little idea. You could serve up slightly different code to, say, Explorer and Firefox, to get things to work right for different browsers!
Or here is something evil; bet nobody has thought of this one! We could present a normal looking page to regular users, but a one which is stuffed full of
Must be... (Score:3)
I'm not saying it's aliens (Score:3)
Too slow (Score:2)
The trouble with "malicious URL scanners" that look for malware is that unless they're real-time, they're too late. The lifetime of bad sites is now often measured in hours.
Still, continually detecting the bad guys and beating on them does have effect. Major services have to do it, or they get pwned.
We do some tracking of major sites being exploited by phishers, [sitetruth.com] There are only 29 sites on the list today, one of the shortest lists we've had in years. It's been as high as 140. The URL-shortening sites g
Wrong Build (Score:2)
Facebook should've constructed a comsat scanner, not a URL scanner.
Silly facebook.
Eh Wot? (Score:2)
How do you do that? I mean
posting the URL to a JPEG file
What do you have to do (and how)?
Re: (Score:1)
Re: (Score:1)
OK. Not something average person will do. More a malware/phish/ security thingy.
Thanks
Another proof of concept (Score:2)
A while back I actually wrote a tool for Rickrolling people several months ago:
http://brokenthings.org/
based on poisoned link redirection. It works well enough. The only way to avoid redirector tricks is to follow redirectors all the way to The Actual Page and then use *that* as the reference. Then, at least if the link is poisoned, it'll be obvious.
Re: (Score:2)
A while back I actually wrote a tool for Rickrolling people several months ago:
http://brokenthings.org/ [brokenthings.org]
based on poisoned link redirection. It works well enough. The only way to avoid redirector tricks is to follow redirectors all the way to The Actual Page and then use *that* as the reference. Then, at least if the link is poisoned, it'll be obvious.
Very good point. I believe that the entire point of FB doing this in the first place was to remove responsibility from their end.
<humor>
Not to use an overused and tacky quote, but, "Mission Accomplished."
</humor>
Websense URL Blocking? (Score:1)
I was at a conference last week where the Facebook's malicious URL detection engine, which was stated by a Websense supplier as sourced by Facebook from Websense, was discussed. I remember using Websense years back as a URL filtering engine (which I believe it still is but with an improvement in deep inspection) and can see how Facebook have probably bolted it in so that traffic using redirects from their site get a layer of filtering before redirection from Websense's URL database and fr