According to OWASP:
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it
Now one fine day while browsing the Facebook mobile website I noticed someone had uploaded a video on Facebook so I tried to view it by clicking the video thumbnail and a download pop-up appeared.On careful examination the link Facebook used to generate the URL was like this:
So I manipulated the 'src' parameter to something like http://www.google.com, so the link became:
Whoa! It successfully redirected to http://www.google.com, so this was the issue.
Facebook fixed this issue within two weeks and offered a monetary reward of $500 USD
I will be featured in Facebook Thank You! List soon.