February 21, 2013 · Bug Bounty Open Redirect Facebook

Facebook Whitehat Vulnerability for 2013: Open Redirection in Facebook Mobile

Sometime back, I found an open redirect vulnerability in Facebook mobile site (http://m.facebook.com)

According to OWASP:

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it

So typically what happens in Facebook is that whenever you try to visit any external links, the URL is first thrown to l.php (See the note from Facebook Security here) and then l.php redirects to the website and before redirecting if l.php finds the website to be marked malicious then it won't redirect and will display an error message.

Now one fine day while browsing the Facebook mobile website I noticed someone had uploaded a video on Facebook so I tried to view it by clicking the video thumbnail and a download pop-up appeared.On careful examination the link Facebook used to generate the URL was like this:


So I manipulated the 'src' parameter to something like http://www.google.com, so the link became:


Whoa! It successfully redirected to http://www.google.com , so this was the issue.

Facebook fixed this issue within two weeks. I have been featured in Facebook Whitehat List for 2013.