A Facebook Open URL Redirection vulnerability is the last discovery of security expert Dan Melamed that reported it in a recent post.
Dan is an old acquaintance of Security Affairs, he revealed in July a Critical Facebook vulnerability that allowed account hacking, in August he discovered 2 Facebook vulnerabilities related to the Fanpage Invite of the popular social network and a few weeks later he found a Critical Pinterest Exploit threatens the privacy of millions of users.
An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack.
An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user’s access token at risk if that link is entered as the final destination in an Oauth dialog.
The Facebook Open URL Redirection vulnerability is present in the way Facebook manages the “url” parameter, for example the following URL
always redirects to the Facebook homepage, but it is sufficient to manipulate the “url” parameter assigning a random string:
In reality the above URL generated a unique “h” variable and passed the url parameter to Facebook’s Linkshim (l.php):
Once noted the redirection process, Dan Melamed explored the way to exploit the mechanism to bypass the restrictions on redirection and load an arbitrary link. Dan discovered that simply removing the http:// part of the target destination it was able to redirect a Facebook link elsewhere without any restrinction.
The Facebook’s Linkshim (l.php) interprets the link target.com the same as http://target.com making possible the redirection.
Facebook informed Dan that because the redirection occurs through the l.php method, the social networking platform is able to apply a proper filter from redirecting using automatic spam and malware analysis.
It is easy to understand that despite Facebook filters target url, it could not detect all malware/spam campaign addressed “and by the time a link is banned, an attacker would have already moved on to another link.”
Following a video Proof of Concept of the open URL Redirection flaw: