Intentional Open Redirect Vulnerability In Facebook
Hello Everyone!
Today I am going to talk about one of the vulnerabilities that I found in Facebook(Website & Android) recently. I found an Open-Redirect vulnerability (https://blog.detectify.com/2016/08/15/owasp-top-10-unvalidated-redirects-and-forwards-10/) in Facebook page URL that can be used by any Hacker to hack credentials of victim by creating a Phishing website or may even lead to RCE(Remote Code Execution) through execution of malicious Javascript code.
Note: Before continuing with the post, I suggest you to please watch the attached video in order to understand the issue properly. One is before reporting this issue to Facebook, other one is after URL has been blacklisted and protected by Facebook.
Unfortunately, according to Facebook it was an intentional behaviour(Just to be clear, this was already mentioned in their scope, I missed that before reporting this issue). According to them, the Link Shim server uses some sort of ML Classifier algorithm in order to blacklist redirection of url to malicious URL(provided by Hacker). Once the Link Shim server blacklists the malicious URL, then from next time user will be redirected to an interstitial page(that will have a warning page suggesting that user is being redirected to a page which is out of Facebook domain). Hence No Bounty(#Sed Lyf) was rewarded.
After learning all these stuff, I just have 2 questions that pops into my mind :-
- Firstly, I wonder why FB is using ML Classifiers in order to predict malicious url when it can be done by just a single if-else(Please correct me if I am wrong). They just have to check if the destination URL is out of FB domain or not. If is out of FB domain, then they have to redirect URL to interstitial page else otherwise. I even suggested them this fix and according to my checks on the URL again, they have taken my suggestion and fixed it the very next day of my report(I am not 100% sure).
- Last but not the least, are Companies allowed to willingly host a website/app with Violation of Weak Security Design Principles and just ignore it even after knowing the issue?
Thank You everyone for giving considerable amount of time for this article. In the end, I will just want to make one thing clear that I don’t have any intentions of harming the reputation of Facebook or any hard feelings.
It’s just that I want to know, wasn’t my finding a valid finding? Are users of Facebook really safe by using Link Shim protection? Shouldn’t I be rewarded bounty for it? Please leave comments if you have any suggestion and do clap if you like the article.
