I am not really used to writing about vulnerabilities I discovered but this time is worth it since it is a bit exceptional for me as it is about a security issue found on Facebook.
As you have read in the title, Facebook is vulnerable to an open redirect because some parameters ddin’t not fully validate the input allowing an attacker to redirect the victim to a malicious page. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
Vulnerable endpoints
https://www.facebook.com/ads/manage/log/?uri=xxxxx&event=view_power_editor&ad_account_id=1
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=xxxxx
Facebook has, indeed, implemented some protection against open redirection since I was not able to perform the attack using some common techniques like you the ones below :
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://www.evil.com/
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=../evil.com
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://l.facebook.com/l.php?u=https://evil.com
None of the above bypass techniques worked. I was about to give up when I noticed in my Twitter feed some Facebook shortned links that looked like: https://fb.me/7kFH9QAMH (redirects to evil.com). These links were automatically generated if you link your facebook account with Twitter so I quickly got back to my testing and tried to bypass the protection using the shortned link which worked perfectly.
After reporting it to facebook on 13/12/2014 it was fixed on 17/12/2014 and Facebook rewarded me with a 500$ bounty for it.
Proof Of Concept 1:
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://fb.me/7kFH9QAMH
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://l.facebook.com/l.php?u=https:// fb.me/7kFH9QAMH
You would be redirected to evil.com.
I went to back to check if somehow I could bypass again the protection. So, I took a deep look at the fb.me domain and I found some subdomains like https://on.fb.me for facebook pages and I tried to guess other valid subdomains. Subsequently, I found this valid subdomain https://d.fb.me/7kFH9QAMH which worked perfectly allowing me to bypass the protection.
Proof Of Concept 2:
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://d.fb.me/7kFH9QAMH
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://d.fb.me/7kFH9QAMH
I quickly escalated the bug to Facebook security team on 22/12/2014 and they fixed on 24/12/2014 but they decided not to reward it because it similar to the original one. I was not happy with their decision, so I managed to find a another way to bypass the protection again, hopefully this time they’ll reconsider awarding a bounty for my efforts.
I tried again some new tricks but they all failed then, unintentionally, I added the www to the shortned Facebook link such as https://www.fb.me/7kFH9QAMH and the open redirect worked just fine. With other words, I bypassed Facebook previous fix once again.
Proof Of Concept 3 :
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://www.fb.me/7kFH9QAMH
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://www..fb.me/7kFH9QAMH
I followed-up with the security engineer who escalated the bug on 24/12/2014 and it got fixed on 30/12/2014 and, luckily, Facebook decided to reward 500$ for it.