Yassine ABOUKIR

Web App Security Consultant & ISCAEist


How I discovered a 1000$ open redirect in Facebook

décembre 30, 2014Yassine ABOUKIR5 Comments

I am not really used to write about vulnerabilities I have discovered but this time is worth it since it is a bit exceptional for me as it is about a security issue found on Facebook.

As you have read in the title, Facebook is vulnerable to open redirect because some parameters do not fully validate the input allowing any attacker to redirect the victim to a malicious page. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

Vulnerable endpoints:

https://www.facebook.com/ads/manage/log/?uri=xxxxx&event=view_power_editor&ad_account_id=1

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=xxxxx

Facebook has, indeed, implemented some protection against open redirection since I was not able to perform the attack using some common techniques like you the ones below :

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://www.evil.com/

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=../evil.com

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://l.facebook.com/l.php?u=http://evil.com

None of the above bypass techniques worked! I was about to give up then I noticed in my twitter updates feed some Facebook shortned links http://fb.me/7kFH9QAMH (redirects to evil.com) that are automatically generated if you link your facebook account with twitter. I quickly got back to my pentest work and tried to bypass the protection using the shortned link.Thanks god! The open redirection worked perfectly.

After reporting it to facebook on 13/12/2014 it was fixed on 17/12/2014 and Facebook rewarded me with a 500$ bounty.

Proof Of Concept 1:

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://fb.me/7kFH9QAMH (You would be redirected to evil.com)

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://l.facebook.com/l.php?u=http:// fb.me/7kFH9QAMH

https://www.youtube.com/watch?v=09vemLhJNCY

I went to back to check if somehow I could bypass again the protection. So, I took a deep look at the fb.me domain and I found some subdomains like http://on.fb.me/ for facebook pages and I tried to guess other valid subdomains. Result, I found this valid subdomain http://d.fb.me/7kFH9QAMH which worked perfectly allowing me to bypass the protection.

Proof Of Concept 2:

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://d.fb.me/7kFH9QAMH

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://d.fb.me/7kFH9QAMH

https://www.youtube.com/watch?v=Q5HIZCQVDoQ

I quickly escalated the bug to Facebook security team on 22/12/2014 and they fixed on 24/12/2014 but they decided not to reward it because it similar to the original one.

I was not happy with their decision, so I managed to find a way to bypass the protection again this way they may reconsider rising the bounty for my continuous efforts.

I tried again some new tricks but all failed then, unintentionally, I added the WWW to the shortned facebook link http://www.fb.me/7kFH9QAMH and the open redirect worked just fine. With other words, I bypassed Facebook previous fix once again.

Proof Of Concept 3 :

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://www.fb.me/7kFH9QAMH

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://www..fb.me/7kFH9QAMH

https://www.youtube.com/watch?v=zDkAr2gX4os

I followed-up with the security engineer who escalated the bug on 24/12/2014 and it got fixed on 30/12/2014 and, luckily, Facebook decided to reward 500$ for it.

This article has 5 comments
  1. test
    31 décembre 2014

    Hi, yassineaboukir

    Congra (y) Bro ,, but how i can send vedio report to facebook or just screen shot ??

    Thankx

    • admin
      31 décembre 2014

      Thank you, you can record the video and then upload it on youtube but don’t make publicly it accessible until the bug is fixed.

  2. Genius Echo
    31 décembre 2014

    i used to use those open redirection on phishing lol, but i didn’t know that i can be rewarded if i report it to facebook 😀

    • admin
      31 décembre 2014

      Facebook has a bug bounty program that rewards security reseachers for responsibly disclosing security issues. Besides that open redirection vulnerability is classified within OWASP top 10.
      See: http://facebook.com/whitehat/

  3. You have conducted an excellent pastime for this topic!


Leave a Reply

Prove you are not a Bot * Le temps imparti est dépassé. Merci de saisir de nouveau le CAPTCHA.