Facebook Bug - Open Redirection To Blocked Sites
Link Shim Of Facebook (l.php)
A very good explanation for 'Link Shim' can be found here. It is a sweet note written by one of the security engineer at Facebook. In short, Facebook tries to protect their users by creating a list of harmless sites and harmful sites. So, sites which are malicious and are marked as `harmful` cannot be used on facebook.
eg. A user cannot post a link of a blocked site.
Try to post `http://ringcloud.com` on Facebook. You won't be allowed and a `warning` message will be displayed saying that `ringcloud.com` is blocked.
Send Dialog
Facebook introduced a 'Send Dialog' long time back. You can find details about it here. It was designed for sending private messages with `links` to one's friends, etc. It can be integrated on third party sites.
Have a look at this
https://www.facebook.com/dialog/send?app_id=145634995501895&link=http://www.pranavhivarekar.in/2014/10/hackerone-bug-redirect-filter-bypass.html&redirect_uri=https://www.google.com
The 'Send Dialog' accepts few parameters.
1. app_id (App needs to be created for using send dialog)
2. link (Link to be shared)
3. redirect_uri (Redirection to site mentioned here after sending message)
After pressing `Send` or `Cancel` user will be redirected to the site mentioned in `redirect_uri`.
Final Exploit
The values passed to `link` parameter were getting passed through 'Link Shim'. So, attacker is limited to share only those links which are present in `harmless` list of link shim.
eg. Attacker can share any link like `http://pranavhivarekar.in`.
Now, note other `redirect_uri` parameter. I observed that it was not passed through link shim. So. attacker can redirect victims to any site after sending message.
eg. Attacker can redirect users to any site like `http://pranavhivarekar.in`.
So, what is the bug here?
I checked `redirect_uri` parameter against `harmful` list of 'Link Shim' and was really amused and glad to see the redirection to `harmful` site.
eg. I entered `http://ringcloud.com` and after `Sending`message or pressing `Cancel` it redirected me to `http://ringcloud.com`
So, it proves that there were no access controls placed to protect users from redirection to `harmful` sites and it did violate the working of 'Link Shim'. So, this bug was accepted and rewarded by facebook.
Now, if you try to use this exploit then it will show error like this.
eg. Try this --->
https://www.facebook.com/dialog/send?app_id=145634995501895&link=http://www.pranavhivarekar.in&redirect_uri=https://ringcloud.com
It will show you error like.
This bug was rewarded as it affected other users of Facebook and for pointing exactly about the policy of 'Link Shim'.
About The Author:
You can stay in contact with me(Pranav Hivarekar) on Facebook and can follow me on Twitter. Also, you can check my blog (http://pranavhivarekar.in) for new findings.
Thanks for spending time to read this ...! Comments are welcome. :-)
Post a Comment
EmoticonClick to see the code!
To insert emoticon you must added at least one space before the code.