Results 1 to 1 of 1

Thread: Facebook Mobile Open Redirection Vulnerability Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2

    Facebook Mobile Open Redirection Vulnerability

    Sometime back, I found an open redirect vulnerability in Facebook mobile site (http://m.facebook.com)

    According to OWASP:

    An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it
    So typically what happens in Facebook is that whenever you try to visit any external links, the URL is first thrown to l.php (See the note from Facebook Security here) and then l.php redirects to the website and before redirecting if l.php finds the website to be marked malicious then it won't redirect and will display an error message.

    Now one fine day while browsing the Facebook mobile website I noticed someone had uploaded a video on Facebook so I tried to view it by clicking the video thumbnail and a download pop-up appeared.On careful examination the link Facebook used to generate the URL was like this:

    m.facebook.com/video_redirect/?src=[LINK_TO_VIDEO]

    So I manipulated the 'src' parameter to something like http://www.google.com, so the link became:

    m.facebook.com/video_redirect/?src=http://www.google.com

    Whoa! It successfully redirected to http://www.google.com, so this was the issue.

    Facebook fixed this issue within two weeks and offered a monetary reward of $500 USD



    I will be featured in Facebook Thank You! List soon.
    Last edited by prakhar; 02-22-2013 at 01:22 PM.
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •