Yesterday I found a url redirection vulnerability in Facebook’s main page that allows an attacker to redirect a user (victim) to a malicious website without asking for verification that the redirect is intentional. After I reported the vulnerability to Facebook, this is the reply I received from their Security Team :
Sorry, but this is expected behavior and not eligible under our bounty program. This endpoint contains a specialized parameter that limits its usage to a small number of computers and users, preventing it from being used as a completely open redirect. For more detailed background information, please see this note by one of the engineers on the product: http://www.facebook.com/notes/facebook-security/link-shim-protecting-the-people-who-use-facebook-from-malicious-urls/10150492832835766
Thanks! Please let us know if you have any further questions.
Because I reported and they think it is an expected behavior, I don’t see any reason not to publish the demo. Here is the idea behind the vulnerability.
Facebook uses hash to avoid url redirection and hash is per account.
From their security page:
To avoid being an open redirector, we generate a hash for each link shim url that’s user specific. Then, when the person loads the interstitial link shim page, we check that the hash is valid for her. If it is, we allow her to access the site requested – but if not, we show a warning page like this:
Lets make a scenario:
A victim who is friend with attacker posts a video on his wall.
Attacker investigates http parameters after clicking the victim’s Youtube video.
url : http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DSvWjWEyTLkg&h=3AQGbk0Cf&s=1
We don’t need s parameter, for attacker most important part of the url is the h parameter.
The attacker can modify the url and send it back to the victim as a phishing attack that now redirect to a malicious website.
new url : http://www.facebook.com/l.php?u=cansinyildirim.com&h=3AQGbk0Cf
new url with hex encoding : http://www.facebook.com/l.php?u=%63%61%6e%73%69%6e%79%69%6c%64%69%72%69%6d%2e%63%6f%6d&h=3AQGbk0Cf
The attacker sends malicious url to the victim.
Victim only sees a Facebook url, after clicking on the link, Facebook redirects the victim to a page specified by the attacker.
The user has been redirected to a malicious website.
In this case, my website is used as an example.
Here is the PoC video:
UPDATE: The attack is not working if the user and the attacker are not friends.