ToorCon 9: URI Use And Abuse


[Nathan McFeters] and [Rob Carter] gave a presentation on the problems with URI handling. URIs are used to send commands to external applications from a web browser. itms:// for iTunes for example. Any application that registers a URI has the potential to be abused through this route. For their first example they showed a stack overflow in Trillian’s AIM handling. The next demo created a “Critical Update Available” button on Picasa’s interface. When the user clicked it, their photos would be uploaded to the attacker’s server. They even display a “download progress” bar to encourage the user to keep the connection open. You can read about the attack on cocontributor Billy Rios’s blog.

One thought on “ToorCon 9: URI Use And Abuse

Leave a Reply to NapulCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.