Sunday, 17 November 2013

Facebook Open URL Redirection vulnerability

Hacking Facebook - Facebook Open URL Redirection vulnerability Security Researcher Dan Melamed discovered an Open URL redirection vulnerability in Facebook that allowed him to have a facebook.com link redirect to any website without restrictions.

An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack.
An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user's access token at risk if that link is entered as the final destination in an Oauth dialog.

The Facebook Open URL Redirection vulnerability exists at landing.php page with "url" parameter, i.e.
http://facebook.com/campaign/landing.php?url=http://yahoo.com
This URL will always redirects user to the Facebook's homepage, but it is sufficient to manipulate the "url" parameter assigning a random string:
http://facebook.com/campaign/landing.php?url=asdf
In reality the above URL generated a unique "h" variable and passed the url parameter to Facebook's Linkshim (l.php):
http://www.facebook.com/l.php?u=asdf&h=mAQHgtP_E
Once noted the redirection process, Dan Melamed explored the way to exploit the mechanism to bypass the restrictions on redirection and loaded an arbitrary link.


Dan discovered that simply removing the http:// part of the target destination is enough to redirect a Facebook link elsewhere without any restriction i.e.
http://facebook.com/campaign/landing.php?url=yahoo.com
The Facebook's Linkshim (l.php) interprets the link target.com the same as http://target.com making possible the redirection.

Facebook informed Dan that because the redirection occurs through the l.php method, the social networking platform is able to apply a proper filter from redirecting using automatic spam and malware analysis.

It is easy to understand that despite Facebook filters target url, it could not detect all malware/spam campaign addressed "and by the time a link is banned, an attacker would have already moved on to another link."

Proof of Concept video:

Facebook quickly fixed the vulnerability after the Dan's report and the payout $1,000 reward under the bug bounty program.

In Past he had revealed a Critical Facebook vulnerability that allowed account hacking and two Facebook vulnerabilities related to the Fanpage Invite of the popular social network.

No comments:

Post a Comment