Open redirect Facebook and Instagram

Open redirect Facebook and Instagram report:

This report was a resubmission after the first report:

https://diogoreal.com/2016/11/25/facebook-vulnerable-open-redirect-bugbounty/

I had deepened my research, I also managed to found that this flaw not only affects Facebook, but also Instagram. This issue can be reproduced at all browsers.

Affected domains:

facebook.com
l.instagram.com

The problem

Facebook and Instagram urls can be used to redirect an user straight into any malicious website through any of whitelisted domains with which Facebook and Instagram are partnering.

Facebook:

By using the following dork at google: “site:facebook.com inurl:redirect_uri”.

We can see Google returning 55,900 results ( many of the indexed pages are from domain m.gulfnews.com, this domain can change the number of domains that affect Facebook) which means:
Among these results, there’s somewhere an open redirect in one of the domains for which Facebook automatically redirects, resulting in an Open Redirect at Facebook domain.

Example:

Facebook redirect to google

In the example above due to a flaw in mhedutcation.com domain its possible to redirect from Facebook to the desired website by changing the value of the parameter “gotourl” and so sending users to any malicious website.

Proof of concept Facebook:

1. Change the parameter “gotourl” value
2. Share the link with the victim
3. The victim will be redirected to desired attacker location

 

Instagram:

The same way as Facebook, by using the following dork at google: “site:instagram.com inurl:u=http”.

44,800 results are returned giving us plenty of room to find an open redirect.

It gets even easier by using bit.ly website.

Proof of concept Instagram:

1. Browse bit.ly
2. Shorten your malicious page URL
3. Share this link with victims: http://l.instagram.com/?e=ATMdhO1KvVC5dmRw0CLaUpD278B8BvKSVNVokazwaa-djEQT4yaI9llT&u=http%3A%2F%2Fbit.ly%2F1bdDlXc
4. Change the parameter “u” value to your bit.ly phishing link
5. This shorten URL was created by me and will redirect to google but as you know any url can be shorten.

How to exploit these vulnerabilities

An attacker may successfully launch a phishing scam and steal user credentials or infect any user device. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.

Affected browsers:

Google Chrome: Working
Firefox: Working
Internet Explorer: Working
Opera: Working
Safari: Working


Possible solutions:

Simply avoid to use redirects without user interaction.

  1. If used, then do not allow the user to input an url to set a destination, this can usually be done. In this case, you should have a method to validate URL.
  2. If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  3. It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
  4. Sanitize input by creating a list of trusted URL’s (lists of hosts or a regex).
    Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Facebook Reply:

Olá Diogo, Thank you for sharing this information with us. As was mentioned in your previous submission, you have set up an App that has the domain “http://www.mheducation.com/” whitelisted, and this domain has a URL redirect vulnerability. An App owner setting a vulnerable site as their redirect is not within Facebook’s control. Further more the redirect to a malicious site happens off the Facebook domain. As such, this does not quailfy for our bounty program. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have. Agradecemos que tenhas contactado o Facebook. Roger Security

Unfortunately the reply was the same from the first report.

Update:

Olá Diogo, Thank you for your report. We are aware of such link shortening / hiding tools. However, it is a difficult issue to comprehensively mitigate. For example, let’s say Instragram attempted to expand all links from a shortening site when a user posts a link. A user intent on bypassing this check might use a second link shortening site in addition to the original one. If Instagram checked 2 levels deep, users could post links 3 levels deep. Additionally, if a user owns a site containing an open redirect, they could also simply link to their own site, which would then redirect to a black listed site from there. Instagram does provide what we feel is a reasonable level of checking for this type of behavior. We will continue to monitor for this and may make additional changes here in the future if it becomes necessary. Agradecemos que tenhas contactado o Facebook. Roger Security

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *