Hello, welcome to the Thursday, August 29, 2019 edition of the Sandsenvit Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from New York City, New York.

Today we have another guest diary from Jan Correba to talk about.

This one is about an often neglected and sometimes

underestimated web application vulnerability open redirects. OAS patted as part of its top

10 list in, I think up to 2013 open redirects usually happen if a website redirects a user to a different

page or a site based on an unvalidated URL parameter.

So what happens here is that someone can send a victim a link that goes to a page that the victim trusts, but as part

of the URL, there is a second URL that's then being used to redirect the victim. One concern

with this vulnerability is, of course, fishing an attacker could craft a link that leads to the page to be fished and have it redirect the victim to the actual fishing page.

Of course, in most cases, attackers can get away with simpler fishing attacks.

That's why you probably don't see this attack done really that often, even though one

thing Jan found is that there are a ton of websites out there that suffer from exactly this

vulnerability.

And Jan offers some Google dorks to help track down possible vulnerable pages.

And yet again, we got Android malware to talk about.

This one is a bit more tricky than the one I talked about yesterday.

The problem in question is cam scanner, an application that allows you to scan documents with your phone's camera

and turn them into PDFs. The application itself is essentially legit and works, but like often

with free software, the application does earn some money via advertisements, and apparently the author of

the application may have gotten a little bit greedy recently. In order to support the advertisement

...