FACEBOOK MESS: Discovered Open URL Redirection flaw in Facebook

SecurityAffairs

facebook-bug-bounty-smaller

Researcher Dan Melamed recently discovered an open url redirection flaw in Facebook that allowed to have a facebook.com link redirect to any website.

A Facebook Open URL Redirection vulnerability is the last discovery of security expert Dan Melamed that reported it in a recent post.

Dan is an old acquaintance of Security Affairs, he revealed in July a Critical Facebook vulnerability that allowed account hacking, in August he discovered 2Facebook vulnerabilities related to the Fanpage Invite of the popular social network and a few weeks later he found a Critical Pinterest Exploit threatens the privacy of millions of users.

About a week ago, he made another interesting discovery, he has found an open url redirection vulnerability in Facebook that allowed him to have a facebook.com link redirect to any website without restrictions.
 
Open URL Redirection
 

An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack.

 An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user’s access token at risk if that link is entered as the final destination in an Oauth dialog.

The Facebook Open URL Redirection vulnerability is present in the way Facebook manages the “url” parameter, for example the following URL

 

http://facebook.com/campaign/landing.php?url=http://yahoo.com

 always redirects to the Facebook homepage, but it is sufficient to manipulate the “url” parameter assigning a random string:

http://facebook.com/campaign/landing.php?url=asdf

In reality the above URL generated a unique “h” variable and passed the url parameter to Facebook’s Linkshim (l.php):

http://www.facebook.com/l.php?u=asdf&h=mAQHgtP_E

Once noted the redirection process, Dan Melamed explored the way to exploit the mechanism to bypass the restrictions on redirection and load an arbitrary link. Dan discovered that simply removing the http:// part of the target destination it was able to redirect a Facebook link elsewhere without any restrinction.

http://facebook.com/campaign/landing.php?url=yahoo.com

The Facebook’s Linkshim (l.php) interprets the link target.com the same as http://target.com making possible the redirection.

Facebook informed Dan that because the redirection occurs through the l.php method, the social networking platform is able to apply a proper filter from redirecting using automatic spam and malware analysis.

It is easy to understand that despite Facebook filters target url,  it could not detect all malware/spam campaign addressed “and by the time a link is banned, an attacker would have already moved on to another link.”

Following a video Proof of Concept of the open URL Redirection flaw:

http://www.youtube.com/watch?v=DFPF5IqmRRU#action=share

Facebook quick fixed the vulnerability after the Dan’s report and the payout for the bug is $1,000.

About CHAINSOFF

Collecting, translating, producing, and disseminating open source information that meets the needs of policymakers, the military, state and local law enforcement, operations officers, and analysts through-out Governments.
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

3 Responses to FACEBOOK MESS: Discovered Open URL Redirection flaw in Facebook

  1. If some one needs expert view about blogging and site-building afterward
    i propose him/her to go to see this weblog, Keep
    up the fastidious work.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s