Security Researcher Dan Melamed Found an Open URL Redirection Vulnerability in Facebook that allowed him to have a Facebook.com link redirect to any website without restrictions.
The Open URL Redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
An Open URL Redirection in Facebook platform and third party applications also expose the users to access token at risk if that link is enabled as the final destination in an Oauth Dialog.
The flaw exists in the way Facebook handled the url parameter. Visiting the link below would always redirect to the Facebook homepage:
http://facebook.com/campaign/
But I noticed that changing the url to a random string, for example:
http://facebook.com/campaign/landing.php?url=asdf
The link above generated a unique "h" variable and passed the url parameter to Facebook's Linkshim:
http://www.facebook.com/l.php?u=asdf&h=mAQHgtP_E
So how do you bypass the restrictions and load arbitrary links? You simply remove the http:// part of the target destination and it will redirect successfully:
http://facebook.com/campaign/
Facebook's Linkshim (l.php) interprets example.com the same as http://example.com thus allowing for a working redirection. As you may have read in the past, url redirection flaws in Facebook and third party applications puts a user's access token at risk if that link is entered as the final destination in an Oauth dialog. But the most common use of a redirection flaw in general is the ability to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website.
However, Facebook informed me that because the redirection occurs through the l.php method, they have the ability to filter and ban particular websites from redirecting using their automatic spam and malware analysis. But not all malware/spam can be caught by Facebook, and by the time a link is banned, an attacker would have already moved on to another link.
If you want to see the Video Tutorial Click On
Facebook responded the day after my report, and they were quick to patch the flaw in about a week and a half. The payout for this bug is $1,000.
The Open URL Redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
An Open URL Redirection in Facebook platform and third party applications also expose the users to access token at risk if that link is enabled as the final destination in an Oauth Dialog.
The flaw exists in the way Facebook handled the url parameter. Visiting the link below would always redirect to the Facebook homepage:
http://facebook.com/campaign/
But I noticed that changing the url to a random string, for example:
http://facebook.com/campaign/landing.php?url=asdf
The link above generated a unique "h" variable and passed the url parameter to Facebook's Linkshim:
http://www.facebook.com/l.php?u=asdf&h=mAQHgtP_E
So how do you bypass the restrictions and load arbitrary links? You simply remove the http:// part of the target destination and it will redirect successfully:
http://facebook.com/campaign/
Facebook's Linkshim (l.php) interprets example.com the same as http://example.com thus allowing for a working redirection. As you may have read in the past, url redirection flaws in Facebook and third party applications puts a user's access token at risk if that link is entered as the final destination in an Oauth dialog. But the most common use of a redirection flaw in general is the ability to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website.
However, Facebook informed me that because the redirection occurs through the l.php method, they have the ability to filter and ban particular websites from redirecting using their automatic spam and malware analysis. But not all malware/spam can be caught by Facebook, and by the time a link is banned, an attacker would have already moved on to another link.
If you want to see the Video Tutorial Click On
Facebook responded the day after my report, and they were quick to patch the flaw in about a week and a half. The payout for this bug is $1,000.
Dear All,
ReplyDeleteWe are introducing the new and exciting world of social network, FUNBOOK
Fast growing social media website with full security. You can join now for free
http://funbook-pk.com
Wishing you best of luck