Open Redirection Vulnerability in Facebook Mobile website

Posted: 22/02/2013 in Uncategorized

Prakhar Prasad, a Web application security Researcher, has discovered Open Redirection vulnerability in the Facebook mobile website(m.facebook.com).

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it

Usually, when you try to visit external links in facebook, the url will be passed to “l.php” page that will displays “Leaving Facebook” message before redirecting. So if it is malicious link, the page will show warning message. 

But Prasad discovered one of the page in Facebook mobile redirects user directly to the external link.

POC:

http://m.facebook.com/video_redirect/?src=http://www.google.com

He found this vulnerability when he tried to view the uploaded video on Facebook mobile website.

Researcher immediately sent notification to Facebook about the vulnerability .  Facebook fixed the vulnerability and rewarded researcher with $500.

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s