Hi everyone it's been long since my last post as I was busy these days. Today I'm gonna disclose my bug found on facebook. I have been rewarded $1000 for this bug and soon will be in facebook whitehat list.
Description
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. Consequences
Phishing
Platform All web platforms affected -Owasp-
Description:
[#] Title : Facebook Open URL Redirection Vulnerability
[#] Status : Fixed
[#] Severity : Medium
[#] Works on : Any browser with any version
[#] Reward : $1000
I have found 6 Open URL Redirectors in facebook's 6 different dialogs.This Vulnerability is exploitable to all users who are signed into facebook. This bug is very similar to the one which Arul Kumar.V have found recently, as I also have to bypass the user interaction. To bypass the user interaction I have used the Mozilla addon Live HTPP Headers and got the necessary parameters to bypass the user interaction. I have used these parameters:
from_post=1, _path=send, error_ok=Okay
You can watch the POC video here: https://vimeo.com/80538675
Impact of Vulnerability:
1. The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine.
2. The user may be subjected to phishing attacks by being redirected to an untrusted page.
3. This bug can be applicable to any user who are signed in which works at any browsers with any version
About Facebook Dialog:
Dialogs provide a simple, consistent interface to provide social functionality to people using your apps. Dialogs do not require any additional permissions because they require someone to directly interact with them. Dialogs can be used by your application in several contexts: in a website or mobile web app, within native iOS and native Android applications, or in a game on Facebook.com
Reference: https://developers.facebook.com/docs/dialogs/
Reproduction Instructions / Proof of Concept:
If any signed facebook user clicks any one of the following link,they will be redirected into our desired pages.URL Shorteners can be used to mask malicious links. I got redirects on six different dialogs.
Note: You must be signed into a facebook account to redirect sites.
Vulnerable URL's:
https://m.facebook.com/dialog/send?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
https://m.facebook.com/dialog/pagetab?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
https://m.facebook.com/dialog/feed?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
https://m.facebook.com/dialog/share?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
https://m.facebook.com/dialog/pay?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
https://m.facebook.com/dialog/login?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
After I have reported the bug I got this reply. And they fixed the bug within a week.
