Facebook Bug - Open Redirection To Blocked Sites

Bài liên quan

• check_dhcp 2.0.2 (Nagios Plugins) - Arbitrary Option File Read Race Condition Exploit
• Joomla Youtube Gallery Component - SQL Injection Vulnerability

• Facebook ra mắt công cụ kiểm tra an toàn người dùng sau thiên tai
• Facebook 'lừa' người dùng, không ra nút 'dislike' nào cả

• Android Network Toolkit (ANTI) Capable Of Mapping Your Network
• MOSCRACK Perl Application Tool For Cracking WPA Keys

Facebook Bug - Open Redirection To Blocked Sites

---

Link Shim Of Facebook (l.php) 

---

A very good explanation for 'Link Shim' can be found here. It is a sweet note written by one of the security engineer at Facebook. In short, Facebook tries to protect their users by creating a list of harmless sites and harmful sites. So, sites which are malicious and are marked as `harmful` cannot be used on facebook.

eg. A user cannot post a link of a blocked site.

Try to post `http://ringcloud.com` on Facebook. You won't be allowed and a `warning` message will be displayed saying that `ringcloud.com` is blocked.

---

Send Dialog

---

Facebook introduced a 'Send Dialog' long time back. You can find details about it here. It was designed for sending private messages with `links` to one's friends, etc. It can be integrated on third party sites.

Have a look at this

https://www.facebook.com/dialog/send?app_id=145634995501895&link=http://www.pranavhivarekar.in/2014/10/hackerone-bug-redirect-filter-bypass.html&redirect_uri=https://www.google.com

The 'Send Dialog' accepts few parameters.

1. app_id (App needs to be created for using send dialog)

2. link (Link to be shared)

3. redirect_uri (Redirection to site mentioned here after sending message)

After pressing `Send` or `Cancel` user will be redirected to the site mentioned in `redirect_uri`.

---

Final Exploit 

---

The values passed to `link` parameter were getting passed through 'Link Shim'. So, attacker is limited to share only those links which are present in `harmless` list of link shim.

eg. Attacker can share any link like `http://pranavhivarekar.in`.

Now, note other `redirect_uri` parameter. I observed that it was not passed through link shim. So. attacker can redirect victims to any site after sending message.

eg. Attacker can redirect users to any site like `http://pranavhivarekar.in`.

So, what is the bug here?

I checked `redirect_uri` parameter against `harmful` list of 'Link Shim' and was really amused and glad to see the redirection to `harmful` site.

eg. I entered `http://ringcloud.com` and after `Sending`message or pressing `Cancel` it redirected me to `http://ringcloud.com`

So, it proves that there were no access controls placed to protect users from redirection to `harmful` sites and it did violate the working of 'Link Shim'. So, this bug was accepted and rewarded by facebook.

Now, if you try to use this exploit then it will show error like this.

eg. Try this --->

https://www.facebook.com/dialog/send?app_id=145634995501895&link=http://www.pranavhivarekar.in&redirect_uri=https://ringcloud.com

It will show you error like.

---

This bug was rewarded as it affected other users of Facebook and for pointing exactly about the policy of 'Link Shim'.

About The Author:

You can stay in contact with me(Pranav Hivarekar) on Facebook and can follow me on Twitter. Also, you can check my blog (http://pranavhivarekar.in) for new findings.

Thanks for spending time to read this ...! Comments are welcome. :-)