Arul Kumar discovered Open URL Redirection Bugs in facebook worth $1500

Arul Kumar, a bug hunter from TamilNadu,India who recently got $12,500 as bounty from Facebook, has today shared how he managed to identify multiple open url redirection vulnerabilities in Facebook.

He identified three open url redirection vulnerabilities in the facebook's dialogs, it could be exploitable to all users who are signed into facebook.

At first, facebook team rejected his finding because it needs some user interaction- users should click ok button in order to redirect the target website.

 

However, Arul managed to bypass it and redirect to the target website without user interaction. The facebook team accepted the vulnerability after bypassing the user interaction and offered $1500 bounty.

The list of vulnerable URL:
  • https://m.facebook.com/dialog/send?next=htp://google.com&error_ok=arul 
  • https://m.facebook.com/dialog/pagetab?next=htp://google.com&error_ok=arul 
  • https://m.facebook.com/dialog/apprequests?next=htp://google.com  &error_ok=arul

Open Redirection Vulnerability in Facebook Mobile website

Prakhar Prasad, a Web application security Researcher, has discovered Open Redirection vulnerability in the Facebook mobile website(m.facebook.com).

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it

Usually, when you try to visit external links in facebook, the url will be passed to "l.php" page that will displays "Leaving Facebook" message before redirecting. So if it is malicious link, the page will show warning message.

But Prasad discovered one of the page in Facebook mobile redirects user directly to the external link.

POC:
http://m.facebook.com/video_redirect/?src=http://www.google.com
He found this vulnerability when he tried to view the uploaded video on Facebook mobile website.

Researcher immediately sent notification to Facebook about the vulnerability .  Facebook fixed the vulnerability and rewarded researcher with $500.