This report was a resubmission after the first report:
I had deepened my research, I also managed to found that this flaw not only affects Facebook, but also Instagram. This issue can be reproduced at all browsers.
Facebook and Instagram urls can be used to redirect an user straight into any malicious website through any of whitelisted domains with which Facebook and Instagram are partnering.
By using the following dork at google: “site:facebook.com inurl:redirect_uri”.
We can see Google returning 55,900 results ( many of the indexed pages are from domain m.gulfnews.com, this domain can change the number of domains that affect Facebook) which means:
Among these results, there’s somewhere an open redirect in one of the domains for which Facebook automatically redirects, resulting in an Open Redirect at Facebook domain.
In the example above due to a flaw in mhedutcation.com domain its possible to redirect from Facebook to the desired website by changing the value of the parameter “gotourl” and so sending users to any malicious website.
Proof of concept Facebook:
1. Change the parameter “gotourl” value
2. Share the link with the victim
3. The victim will be redirected to desired attacker location
The same way as Facebook, by using the following dork at google: “site:instagram.com inurl:u=http”.
44,800 results are returned giving us plenty of room to find an open redirect.
It gets even easier by using bit.ly website.
Proof of concept Instagram:
1. Browse bit.ly
2. Shorten your malicious page URL
3. Share this link with victims: http://l.instagram.com/?e=ATMdhO1KvVC5dmRw0CLaUpD278B8BvKSVNVokazwaa-djEQT4yaI9llT&u=http%3A%2F%2Fbit.ly%2F1bdDlXc
4. Change the parameter “u” value to your bit.ly phishing link
5. This shorten URL was created by me and will redirect to google but as you know any url can be shorten.
How to exploit these vulnerabilities
An attacker may successfully launch a phishing scam and steal user credentials or infect any user device. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.
Google Chrome: Working
Internet Explorer: Working
Simply avoid to use redirects without user interaction.
- If used, then do not allow the user to input an url to set a destination, this can usually be done. In this case, you should have a method to validate URL.
- If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
- It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
- Sanitize input by creating a list of trusted URL’s (lists of hosts or a regex).
Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.
Unfortunately the reply was the same from the first report.