Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security > Security Fixes and Improvements

December 11th, 2012, 12:40 GMT · By

Open-Redirect Vulnerability Identified in Meebo (Updated)

SHARE:

Adjust text size:

Researcher finds open-redirect flaw in Meebo
Enlarge picture
Security researcher Prakhar Prasad has identified an open-redirect vulnerability in the popular instant messaging platform Meebo.

Open-redirect vulnerabilities can be leveraged by cybercriminals to lure their victims to arbitrary domains. The user believes that he/she is visiting a legitimate, reputable site, when they’re actually seamlessly redirected to a malicious one.

The security hole has been reported to Google, which bought Meebo back in June, but the search giant’s security team told the expert that “the security benefits of a well-implemented and carefully monitored URL redirector tend to outweigh the perceived risks.”

They’ve pointed him to the bug bounty page where they explain why such URL redirection vulnerabilities are not included in their reward program.

“Some members of the security community argue that open redirectors are a security issue,” reads the section on URL redirection.

“The common argument in favor of this view is that some users, when presented with a carefully crafted link, may be duped into thinking that they will be taken to a trusted page - but will be not be attentive enough to examine the contents of the address bar after the redirection takes place.”

It continues, “On the other hand, we recognize that the address bar is the only reliable security indicator in modern browsers; and consequently, we think that any user who could be misled by a URL redirector can also be tricked in other ways, without relying on any particular trusted website to act as a relying party.”

On the other hand, Prakhar Prasad – who claims he’s not interested in the reward – argues that while Google is somewhat right and users should examine the site’s address bar, in practice, things aren’t as they should be.

“My counter question to Google is, how many 'common' internauts do that in general, checking the address bar again and again. I don't even care whether open-redirects should qualify or not for their reward program, but if there is a security issue (of any kind) it should be properly addressed,” the expert told Softpedia in an email.

Update. The researcher has informed us that the vulnerability has been silently addressed.


1,452 hits · 1 comment
Link to this article · Print article · Send to friend

MUST-READ RELATED ARTICLES:


Security Researcher Finds XSS, Open Redirection Flaws in Adobe Website [Video]
Persistent XSS Flaws on TopCoder.com Allow Hackers to Lower Ranks of Members (Updated)
DOS and Other “Important” Vulnerabilities Identified in Apache Tomcat 6 and 7
Flaw in Instagram for iOS Allows Cybercriminals to Hijack Accounts
Twitter: US Users Are Not Vulnerable to SMS Spoofing Attacks

READER COMMENTS:


Comment #1 by: abhi on 12 Dec 2012, 15:27 UTC reply to this comment

well done bro.....

Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use