|
|
|
|
|
|
by yyyk
1691 days ago
|
|
|
>but that's not really possible without control of "google.com" An open redirect bug in phished site should allow this scenario: A) Set up the offending link, redirecting to the phishing.com site. B) When receiving the twitter bot, redirect back to a safe page on the original site for the summary. I understand twitter shows either the original URL or the final URL, but doesn't care for phishing.com in the middle. C) Don't redirect back for non twitter traffic, so they end up on phishing.com. A complex scenario, but perhaps enough to show that redirect bugs also matter. |
|
|