Discovered Open URL Redirection flaw in Facebook

Researcher Dan Melamed recently discovered an open url redirection flaw in Facebook that allowed to have a facebook.com link redirect to any website.

A Facebook Open URL Redirection vulnerability is the last discovery of security expert Dan Melamed that reported it in a recent post.

Dan is an old acquaintance of Security Affairs, he revealed in July a Critical Facebook vulnerability that allowed account hacking, in August he discovered 2 Facebook vulnerabilities related to the Fanpage Invite of the popular social network and a few weeks later he found a Critical Pinterest Exploit threatens the privacy of millions of users.

About a week ago, he made another interesting discovery, he has found an open url redirection vulnerability in Facebook that allowed him to have a facebook.com link redirect to any website without restrictions.

An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack.

 

An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user’s access token at risk if that link is entered as the final destination in an Oauth dialog.

The Facebook Open URL Redirection vulnerability is present in the way Facebook manages the “url” parameter, for example the following URL

 

http://facebook.com/campaign/landing.php?url=http://yahoo.com

 

always redirects to the Facebook homepage, but it is sufficient to manipulate the “url” parameter assigning a random string:

http://facebook.com/campaign/landing.php?url=asdf

In reality the above URL generated a unique “h” variable and passed the url parameter to Facebook’s Linkshim (l.php):

http://www.facebook.com/l.php?u=asdf&h=mAQHgtP_E

Once noted the redirection process, Dan Melamed explored the way to exploit the mechanism to bypass the restrictions on redirection and load an arbitrary link. Dan discovered that simply removing the http:// part of the target destination it was able to redirect a Facebook link elsewhere without any restrinction.

http://facebook.com/campaign/landing.php?url=yahoo.com

The Facebook’s Linkshim (l.php) interprets the link target.com the same as http://target.com making possible the redirection.

Facebook informed Dan that because the redirection occurs through the l.php method, the social networking platform is able to apply a proper filter from redirecting using automatic spam and malware analysis.

It is easy to understand that despite Facebook filters target url,  it could not detect all malware/spam campaign addressed “and by the time a link is banned, an attacker would have already moved on to another link.”

Following a video Proof of Concept of the open URL Redirection flaw:

Facebook quick fixed the vulnerability after the Dan’s report and the payout for the bug is $1,000.

Pierluigi Paganini

(Security Affairs – open URL Redirection flaw, Facebook)

 

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…

1 hour ago

Ivanti fixed two EPMM flaws exploited in limited attacks

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…

3 hours ago

Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days

Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…

12 hours ago

Fortinet fixed actively exploited FortiVoice zero-day<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…

14 hours ago

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Interlock Ransomware 's attack on a defense contractor exposed global defense supply chain details, risking…

1 day ago

Marks and Spencer confirms data breach after April cyber attack

Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack…

1 day ago