2012|2011|2010|2009|2008|2007|2006

2011-001: Facebook social network vulnerable to Open Redirect.

2011-001: Facebook social network vulnerable to Open Redirect.

Original release date: July 18th, 2011
Last revised: July 22nd, 2011
Discovered by: Vicente Aguilera Diaz
Severity: 6.8/10 (CVSS Base Scored)

BACKGROUND

Facebook is a social networking service and website (www.facebook.com) launched in February 2004, operated and privately owned by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users.

DESCRIPTION

An open redirect is a vulnerability that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

The vulnerability is exploitable only between users who are friends.

PROOF OF CONCEPT

The malicious URL as the next structure:

http://www.facebook.com/l.php?u=<external website>&h=<security token>

where:

<external website>: is the malicious site controlled by the attacker. For example, can be used to download malware, request private information to the user, etc.

<security token>: is a token generated by Facebook, based in different values, to decide if the external link is trustworthy or not. The token is a 9-digit string within the range [A-Z|a-z|0-9].

So, the attacker only need to know the <security token>.

On the other hand, the malicious URL is valid only if:

  • the victim user is authenticated, or
  • the victim user has made logout but he has not closed the browser

--- How to obtain the <security token>

The attacker access to Facebook and make a link (for example: http://www.isecauditors.com) in her wall, and access to the mobile facebook (m.facebook.com) to view the link.

The URL has the next link: http://m.facebook.com/l.php?u=http://www.isecauditors.com&h=DAQCCeLYW&refid=28

From the previous link, the attacker obtain the <security token> in the "h" parameter value. In this case: "DAQCCeLYW".

--- How to exploit the malicious URL

The attacker have multiples choices to make that another user can use the malicious URL:

  • leave a message in her wall with the malicious URL and share the
    • message with her friends
  • send a private message to a friend with the malicious URL
  • share the malicious URL in the wall of a friend
  • share the malicious URL in a group of friends
  • etc.

Obviously, a malicious user will obfuscate the redirection. For example, the attacker can use a shorten url service (http://goo.gl, http://bitly.com, http://tiny.cc, etc.), use complex encoding techniques, add unnecessary parameters, etc.

For example, the next request can be sent in a private message to a friend and causes the friend to download a PDF file from the Internet Security Auditors website: http://www.facebook.com/l.php?app=1572&u=tiny%2ecc⁄owhvr&h=DAQCCeLYW

On the other hand, exist another vulnerability in Facebook that facilitate the exploitation of this vulnerability. An user can leave a message on her wall with a link, and this link can access to another website different that the website that appears in the link.

This vulnerability can be exploited in three steps:

  • Step 1) The user create a status message with a URL. For example: http://www.facebook.com and leave a blank space after the last letter
  • Step 2) The Facebook application recognize the URL and make the link. For example: http://www.facebook.com
  • Step 3) The user delete the URL from the status message, and put another malicious URL. The Facebook application not update the previous link.

So, this vulnerability can be abused to facilitate the Open Redirect. For example, an user can leave a message on her wall or on her public profile, and shared this message with other friends or with everyone. The process will be:

  • Step 1) The user create a status message with a URL. For example: http://www.facebook.com and leave a blank space after the last letter
  • Step 2) The Facebook application recognize the URL and make the link. For example: http://www.facebook.com
  • Step 3) The user delete the previous blank space, and add the resource and the querystring: http://www.facebook.com/l.php?app=1572&u=tiny%2ecc⁄owhvr&h=DAQCCeLYW
  • Step 4) Step 4) The user shared this message with everyone.

Another possibility to inject the URL avoiding Facebook to decode the malicious site: leave a message on her wall with a text previously to the link.
For example:

"Download the better application from Facebook: http://www.facebook.com/l.php?app_id=1572&u=tiny%2ecc⁄owhvr&h=DAQCCeLYW"

BUSINESS IMPACT

This vulnerability allows phishing attacks, effective malware distribution, etc.

SYSTEMS AFFECTED

The vulnerability affect the Facebook social network:

  • www.facebook.com (primary Facebook website)
  • m.facebook.com (Facebook mobile)
  • touch.facebook.com (Facebook mobile)

SOLUTION

-

REFERENCES

http://www.facebook.com
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

July 18, 2011: Initial release.
July 19, 2011: Proof of concetp updated with more details.

DISCLOSURE TIMELINE

July 17, 2011: The vulnerability is discovered.
July 18, 2011: Facebook is notified of this vulnerability.
July 18, 2011: Facebook answers the vulnerability is not exploitable.
July 19, 2011: Internet Security Auditors contact Facebook and provide more details about how to exploit the vulnerability.
July 21, 2011: Facebook answers the intentional functionality provided by the "l.php" endpoint is required, and Facebook believe the security benefits generated by this functionality outweigh the perceived risks.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio