Open URL redirection vulnerability discovered on Facebook
Posted by: Jon Ben-Mayor on 11/16/2013 10:34 AM [ Comments ]
Dan Melamed discovered a flaw on Facebook that allowed him to have a facebook.com link redirect to any website without restrictions. This vulnerability, if not discovered might have deceived users to click on a trusted link which that would take them to an potentially harmful arbitrary website. The discovery was quickly fixed by Facebook and he was awarded $1000 from the bug bounty.
The flaw is an open url redirection vulnerability, and on his security blog explains that it exists in the way facebook handled the url parameter. Visiting the link below would always redirect to your facebook homepage:
http://facebook.com/campaign/landing.php?url=http://yahoo.com
Changing the url to a random string, for example:
http://facebook.com/campaign/landing.php?url=asdf
The link above generated a unique "h" variable and passed the url parameter to Facebook's Linkshim:
http://www.facebook.com/l.php?u=asdf&h=mAQHgtP_E
You can bypass the restrictions and load arbitrary links by simply removing the http:// part of the target destination and it will redirect successfully:
http://facebook.com/campaign/landing.php?url=yahoo.com
Facebook's Linkshim (l.php) interprets example.com the same as http://example.com thus allowing for a working redirection.
Facebook informed Dan that because the redirection occurs through the l.php method, they can filter and ban particular websites from redirecting using their automatic spam and malware analysis.
This process of course is not foolproof - some malware/spam will get through and by the time Facebook bans a link that has managed to slip through, the attacker certainly would have selected another link to use.
Nice catch indeed!
http://facebook.com/campaign/landing.php?url=http://yahoo.com
Changing the url to a random string, for example:
http://facebook.com/campaign/landing.php?url=asdf
The link above generated a unique "h" variable and passed the url parameter to Facebook's Linkshim:
http://www.facebook.com/l.php?u=asdf&h=mAQHgtP_E
You can bypass the restrictions and load arbitrary links by simply removing the http:// part of the target destination and it will redirect successfully:
http://facebook.com/campaign/landing.php?url=yahoo.com
Facebook's Linkshim (l.php) interprets example.com the same as http://example.com thus allowing for a working redirection.
Facebook informed Dan that because the redirection occurs through the l.php method, they can filter and ban particular websites from redirecting using their automatic spam and malware analysis.
This process of course is not foolproof - some malware/spam will get through and by the time Facebook bans a link that has managed to slip through, the attacker certainly would have selected another link to use.
Nice catch indeed!
Comments