Hacker, Researcher and Author.

Home Hack Facebook Facebook URL Redirection Vulnerability

Facebook URL Redirection Vulnerability


Friends, Recently I found a "Redirection Vulnerability" inside Facebook, However facebook refused to accept it as according to them the vulnerability targets very few people. This is what they replied:

Hi Rafay,

This endpoint contains a specialized parameter that limits its usage to a small number of computers and users, preventing it from being used as a completely open redirect. For more detailed background information, please see this note by one of the engineers on the product: http://www.facebook.com/notes/facebook-security/link-shim-protecting-the-people-who-use-facebook-from-malicious-urls/10150492832835766

 =================================================================
Facebook Open Redirect Vulnerability
=================================================================

 Affected Application   : Main Website
Severity     : Medium
Local/Remote    : Remote
Vulnerable url     : http://facebook.com/l.php?u=http://rafayhackingarticles.net&sugexp=chrome,mod=9
&sourceid=chrome&ie=UTF-8&h=AAQGmYELO

 Vulnerable URL:
www.facebook.com/l.php?u=https://rafayhackingarticles.net&h=YAQH4kMuY&s=1

Discovered by: Rafay Baloch - [rafaybaloch(at)gmail(dot)com]

[Summary]

 Due to a parameter filtering weakness any supplied input is accepted; as result redirects a user to the parameter value without any validation.

Note: This vulnerability works for only few users, It won't work for every one.

 Upadate: If the URL mentioned above does not work, kindly try the following:
www.facebook.com/l.php?u=https://google.com&h=YAQH4kMuY&s=1

13 comments:

  1. AnonymousSeptember 25, 2012 at 9:35 AM

    How does this equate to facebook being hacked?

    ReplyDelete
  2. GazzalySeptember 25, 2012 at 8:33 PM

    Finally you did it :') Proud of you Bro..

    Regards
    M.Gazzaly
    (http://www.gazzaly.info)

    ReplyDelete
  3. AniketSeptember 25, 2012 at 10:26 PM

    It's nothing harmful..The facebook asks - it an external site, you can continue or not..it's upto you. They even show the url, you'll b visiting.

    ReplyDelete
  4. AnonymousSeptember 26, 2012 at 4:10 AM

    It works for me..cheers

    ReplyDelete
  5. MarconySeptember 26, 2012 at 6:07 AM

    This is very dangerous, but has since been corrected. Thanks for reporting.

    (Two are appearing on social networking sweepstakes Blog posts).

    ReplyDelete
  6. AnonymousSeptember 29, 2012 at 7:34 AM

    sir,what is the use of it?

    ReplyDelete
  7. AnonymousOctober 13, 2012 at 5:22 AM

    thanks buddy. it works!!

    ReplyDelete
  8. AnonymousOctober 13, 2012 at 5:25 AM

    @ Anonymous 6 : Suppose I have an infected website and want the victim to visit it to make his computer infected, I'll attach my infected website's url behind the trusted website's url and make the victim believe that it's a part of the trusted website.
    BINGO!! I'm done!!!

    ReplyDelete
  9. UnknownOctober 18, 2012 at 11:57 PM

    I not get your point can u help to explain again pls

    ReplyDelete
  10. UnknownOctober 19, 2012 at 12:02 AM

    Hey can u help me explain it i not get what u says
    send me step in my email id pls

    ReplyDelete
  11. AnonymousNovember 6, 2012 at 1:02 AM

    pls hack this account and send to me a password augustine nitcha. . . that is his name . . . pls help me to get his password because a want to revenge him .....pls help me ASAP. . . .

    send into my yahoomail . .angiliecabungcal@yahoo.com

    ReplyDelete
  12. UnknownNovember 9, 2012 at 9:24 AM

    hiiiiiiiiiiii i am also a baloch

    ReplyDelete
  13. AnonymousMarch 5, 2013 at 4:52 AM

    Ye Kis Chez kay Liay hay Didnt Understand

    ReplyDelete

Subscribe to: Post Comments (Atom)
© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.