Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

Facebook URL Redirection Vulnerability

Friends, Recently I found a "Redirection Vulnerability" inside Facebook, However facebook refused to accept it as according to them the vulnerability targets very few people. This is what they replied:

Hi Rafay,

This endpoint contains a specialized parameter that limits its usage to a small number of computers and users, preventing it from being used as a completely open redirect. For more detailed background information, please see this note by one of the engineers on the product: http://www.facebook.com/notes/facebook-security/link-shim-protecting-the-people-who-use-facebook-from-malicious-urls/10150492832835766

Facebook Open Redirect Vulnerability

Affected Application   : Main Website
Severity     : Medium
Local/Remote    : Remote
Vulnerable url     : http://facebook.com/l.php?u=http://rafayhackingarticles.net&sugexp=chrome,mod=9

Vulnerable URL:

Discovered by: Rafay Baloch - [rafaybaloch(at)gmail(dot)com]


Due to a parameter filtering weakness any supplied input is accepted; as result redirects a user to the parameter value without any validation.

Note: This vulnerability works for only few users, It won't work for every one.

Upadate: If the URL mentioned above does not work, kindly try the following:

No comments:

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.