Search

Search:
-::DESCRIPTION
-::DATE

Facebook - Linkshim Evasion and URL Redirection : Write Up by Paul OS

Labels:
, ,




One of the Good Facebook Bug Hunter, Paul OS, has submitted URL Redirection Bug of Facebook to Pentesting-Lab.

Lets Check out the write up by his own words.

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Recently I was browsing through Facebook mobile (m.facebook.com) and I found a notification that a friend tagged me into a post… well the post wasn’t that interesting so I decided to hide it. When clicking on hide I notice the URL parameter contained a parameter called ‘continue’ followed by stories.php

https://m.facebook.com/feed_menu/?story_fbid=808015282566492&id=100000740832129&confirm=h&continue=stories.php&perm&no_fw=1&_rdr

So I figured that can lead to a URL redirection if I changed the continue parameter to something like http://evilzone.org but the Linkshim was rechecking and returning it back to m.facebook.com/http://evilzone.org but the redirection wasn’t successful but then I noticed that parameter can be tricked using path transversal tricks like ../

When I gave the url parameter something like
&continue=../http://evilzone.org
I was able to bypass the Linkshim and get a successful redirection to Evilzone.org (which by the way is a blocked link by Facebook).

So the full parameter for redirection including the Linkshim evasion was

https://m.facebook.com/feed_menu/?story_fbid=808015282566492&id=100000740832129&confirm=h&continue=../http://evilzone.org&perm&no_fw=1&_rdr

And none of the other parameters needs to be accurate;
the story_fbid and id parameters can be any number so we don’t need victim’s special parameters to execute redirection.

Now the issue have been fixed and Facebook has promised to reward me with 1000$USD for this bug. I would like to thank the Facebook Security Team so much for their cool support and generous amount.

Posted by Pentesting-Lab at 07:33  

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Powered by Blogger.

Popular Posts