• Facebook Mobile Open Redirection Vulnerability

    Sometime back, I found an open redirect vulnerability in Facebook mobile site (http://m.facebook.com)

    According to OWASP:

    An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it
    So typically what happens in Facebook is that whenever you try to visit any external links, the URL is first thrown to l.php (See the note from Facebook Security here) and then l.php redirects to the website and before redirecting if l.php finds the website to be marked malicious then it won't redirect and will display an error message.

    Now one fine day while browsing the Facebook mobile website I noticed someone had uploaded a video on Facebook so I tried to view it by clicking the video thumbnail and a download pop-up appeared.On careful examination the link Facebook used to generate the URL was like this:


    So I manipulated the 'src' parameter to something like http://www.google.com, so the link became:


    Whoa! It successfully redirected to http://www.google.com, so this was the issue.

    Facebook fixed this issue within two weeks and offered a monetary reward of $500 USD

    I will be featured in Facebook Thank You! List soon.
    This article was originally published in forum thread: Facebook Mobile Open Redirection Vulnerability started by prakhar View original post
  • G4H Facebook

  • G4H Twitter